Web API Security on:
[Wikipedia]
[Google]
[Amazon]
Web API security entails
In static strings method, the API caller or client embeds a string as a token in the request. This method is often referred a
basic authentication
"From a security point of view, basic authentication is not very satisfactory. It means sending the user's password over the network in clear text for every single page accessed (unless a secure lower-level protocol, like SSL, is used to encrypt all transactions). Thus the user is very vulnerable to any
AuthzForce
o
Axiomatics
The Policy Decision Point is configured with policies that implement dynamic access control that can use any number of user, resource, action, and context attributes to define which access is allowed or denied. Policies can be about: # the resource (e.g. a bank account) # the user (e.g. a customer) # the context (e.g. time of day) # a relationship (e.g. the customer to whom the account belongs). Policies are expressed in ALFA or XACML.
OWASP API Security Project
API Security Platform
for Enterprise Company by Wallarm
Noname Security
ThreatX
Transport Layer Security {{Web interfaces
authenticating
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proof (truth), proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In ...
programs or users who are invoking a web API
A web API is an application programming interface for either a web server or a web browser. It is a web development concept, usually limited to a web application's client-side (including any web frameworks being used), and thus usually does not in ...
.
Along with the ease of API integrations come the difficulties of ensuring proper authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
(AuthN) and authorization
Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More for ...
(AuthZ). In a multitenant environment, security controls based on proper AuthN and AuthZ can help ensure that API access is limited to those who need (and are entitled to) it. Appropriate AuthN schemes enable producers (APIs or services) to properly identify consumers (clients or calling programs), and to evaluate their access level (AuthZ). In other words, may a consumer
A consumer is a person or a group who intends to order, or uses purchased goods, products, or services primarily for personal, social, family, household and similar needs, who is not directly related to entrepreneurial or business activities. T ...
invoke a particular method (business logic) based on the credentials presented?
"Interface design flaws are widespread, from the world of crypto
Crypto commonly refers to:
* Cryptocurrency, a type of digital currency secured by cryptography and decentralization
* Cryptography, the practice and study of hiding information
Crypto or Krypto may also refer to:
Cryptography
* Cryptanalysis, ...
processors
A central processing unit (CPU), also called a central processor, main processor or just processor, is the electronic circuitry that executes instructions comprising a computer program. The CPU performs basic arithmetic, logic, controlling, ...
through sundry
embedded system
An embedded system is a computer system—a combination of a computer processor, computer memory, and input/output peripheral devices—that has a dedicated function within a larger mechanical or electronic system. It is ''embedded'' as ...
s right through to antivirus software
Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware.
Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...
and the operating system itself."
Method of authentication and authorization
The most common methods for authentication and authorization include: # Static strings: These are like passwords that are provided by API's to consumers. # Dynamic tokens: These are time based tokens obtained by caller from an authentication service. # User-delegated tokens: These are tokens such asOAuth
OAuth (short for "Open Authorization") is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. T ...
which are granted based on user authentication.
# Policy & attribute-based access control Attribute-based access control (ABAC), also known as policy-based access control for IAM, defines an access control paradigm whereby a subject's authorization to perform a set of operations is determined by evaluating attributes associated with the ...
: policies use attributes to define how APIs can be invoked using standards such as ALFA or XACML
XACML stands for "eXtensible Access Control Markup Language". The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests a ...
.
The above methods provide different level of security and ease of integration. Oftentimes, the easiest method of integration also offers weakest security model.
Static strings
In static strings method, the API caller or client embeds a string as a token in the request. This method is often referred abasic authentication
"From a security point of view, basic authentication is not very satisfactory. It means sending the user's password over the network in clear text for every single page accessed (unless a secure lower-level protocol, like SSL, is used to encrypt all transactions). Thus the user is very vulnerable to any
packet sniffer
A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or ...
s on the net."
Dynamic tokens
When anAPI
An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how ...
is protected by a dynamic token, there is a time-based nonce inserted into the token. The token has a time to live (TTL) after which the client must acquire a new token. The API method has a time check algorithm
In mathematics and computer science, an algorithm () is a finite sequence of rigorous instructions, typically used to solve a class of specific Computational problem, problems or to perform a computation. Algorithms are used as specificat ...
, and if the token is expired, the request is forbidden. "An example of such token is JSON Web Token
JSON Web Token (JWT, pronounced , same as the word "jot") is a proposed Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims. The tokens are signe ...
. The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing."
User-delegated token
This type of token is used in three-legged systems where an application needs to access an API on behalf of a user. Instead of revealing user id and password to the application, a user grants a token which encapsulates users permission for the application to invoke the API. The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to anHTTP
The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
Fine-Grained Authorization for APIs
Attribute-Based Access Control
In this approach, there is a Policy Enforcement Point either within the API itself, in the API framework (as an interceptor or message handler), or as an API gateway (e.g.WSO2
WSO2 is an open-source technology provider founded in 2005. It offers an enterprise platform for integrating application programming interfaces (APIs), applications, and web services locally and across the Internet.
History
WSO2 was founded b ...
, Kong, or similar) that intercepts the call to the API and / or the response back from the API. It converts it into an authorization request (typically in XACML) which it sends to a Policy Decision Point (PDP) e.gAuthzForce
o
Axiomatics
The Policy Decision Point is configured with policies that implement dynamic access control that can use any number of user, resource, action, and context attributes to define which access is allowed or denied. Policies can be about: # the resource (e.g. a bank account) # the user (e.g. a customer) # the context (e.g. time of day) # a relationship (e.g. the customer to whom the account belongs). Policies are expressed in ALFA or XACML.
References
External links
OWASP API Security Project
API Security Platform
for Enterprise Company by Wallarm
Noname Security
ThreatX
Transport Layer Security {{Web interfaces