Securing)ASP )Web)APIs) - SDD Conference
ilege.com@leastprivilegethink mobile!
DominickBaier Securityconsultantatthinktecture ritymobileappsecurity ge.comthink mobile!@leastprivilege2
Agenda HTTPsecurity&SSL ASP.NETWebAPIv2architecture ApplicaNonscenarios (Token- astprivilege3
eASP.NETWebAPI4
Developers&SSL@leastprivilege5
SecuritymodelforHTTP- ‐basedservices Simplemodel– HTTP content SSL WheneverauthenNcaNonisrequired– Statuscodeof401indicatesunauthorized– WWW- en9ca9onmethodStatusCode:401unauthorizedWWW- ‐AuthenNcate:Schemerealm "myapp"@leastprivilege6
Authen9ca9onforHTTP- ‐basedservices er e.g.Basicauthen9ca9on,accesstokens some9mesothermeans(querystring,cookie leastprivilege7
ssageHandler(global/per- Icross- n- ‐and- ‐katana/an- ‐overview- ‐of- ‐project- ‐katana@leastprivilege8
enticationType ype ticationType "Bearer"//moreoptions});}}@leastprivilege9
ssageDelete(){}}@leastprivilege10
Authoriza9onfilter DeterminesifaresourceneedsauthenNcaNon– [AllowAnonymous]toskipauthoriza9onforanac9on– DataGet(){ }[Authorize(Role "Foo")]publicHttpResponseMessageDelete(intid){ }}@leastprivilege11
Customauthoriza9onfilter cipal eastprivilege12
Resource/Ac9on- ‐basedAuthoriza9on re.IdenNtyModel/@leastprivilege13
Applica9onStyles Same- ‐Domain&Cross- ‐Domain– classicvsmodern SameDomain– Browserbasedapplica9ons– WebAPIsandclientsliveinthesamedomain AJAXstylecallbacksfromserver- ‐renderedpages SPAapplica9ons(likethebuilt- ‐intemplateinVS2012)– Ogencookiebasedsecurity poten9alCSRFproblems@leastprivilege14
Same- ‐DomainScenario WebAPIsinheritsecurityseangsofwebhost– ationLoginPagesWeb APIs .ajax@leastprivilege15
com/delete/5Tab/ProcessBrowser@leastprivilege16
WebAPIv1CSRFProtec9on HjpAn9ForgeryToken]renderpage&an9- ‐forgerycookiepost- ‐back:cookie hiddenfieldwebapicall:cookie headerPage form inputtype "hidden"value "anti- ‐forgerytoken"/ /form script /script @leastprivilege17
WebAPIv2CSRFProtec9on Nocookiesallowedanymore rivilege18
Applica9onStylesII Cross- ‐Domain– WebAPIsandclientsliveindifferentdomains na9veapps(desktop,mobile) clientsideJavaScriptcode(browser) MulNtudeofscenarios– sharedsecretauthen9ca9on– CORSrestric9onsforJavaScript- ‐basedclients– token- ‐basedauthen9ca9on built- ‐intokenendpoint OAuth2authoriza9onserver@leastprivilege19
SharedSecretAuthen9ca9on HTTPBasicAuthenNcaNon eastprivilege20
An9- ‐pajern! neveryrequest)– ) Serverhastovalidatethesecretoneveryrequest– highcomputa9onalcostduetobruteforceprotec9on reased@leastprivilege21
Token- WebAPIsBobuseaccesstoken@leastprivilege22
OAuth2(RFC6749) FrameworkforrequesNngandusingaccesstokensfor– na9veclients– webclients– browser- ‐basedclients � vilege23
EmbeddedAuthoriza9onServer e.g.SwapcredenNalwith(long- ‐lived)tokenGET/service/token token GET/service/resourceAuthorizaNon:Bearer token @leastprivilege24
pplication25
rPOST/tokenAuthorization:Basic(client id:secret)grant type password&scope resource&user name owner&password password&ResourceOwner@leastprivilegeClient26
er{"access token":"abc","expires in":"3600","token type":"Bearer","refresh token":"xyz"}ResourceOwner@leastprivilegeClient27
Moreadvancedscenariosclient id client1,scope :"resources","exp":192990121,"sub":"Bob","client d,write,delete,search 28
"aud":"http://myResource","sub":"alice","client nature29
Server(1)UserAgent(2)OWINHostJWTMWApplica9on1 n@leastprivilege30
AuthorizationServer &IdentityServer tecture.IdenNtyServer.v3@leastprivilege31
Separa9ngusercreden9alsfromtheclient Local/mobile/user- ‐agentbasedclients– ImplicitFlow Server- ‐based/confidenNalclients– Autoriza9onCodeFlow@leastprivilege32
tprivilegeClient33
onServerGET/authorize?client id nativeapp&scope read&redirect uri http://localhost/cb&response type token&state 123ResourceOwner@leastprivilegeClient34
Step1b:Authen9ca9on@leastprivilege35
Step1c:Consent@leastprivilege36
TwijerConsent@leastprivilege37
EvernoteConsent@leastprivilege38
011/01/oauth will murder your children/@leastprivilege39
erGET/cb#access token abc&expires in 3600&state 123ResourceOwner@leastprivilegeClient40
Summary–ImplicitFlow UserenterscredenNalsattheauthorizaNonserver– notattheclient � toreduceexposureoftoken OFencombinedwithOShelpermechanisms– cookiecontainer– na9veAPIs@leastprivilege41
rver1/client.htm 2
CORSSampleOPTIONS/serviceAccess- ‐Control- ‐Request- ‐Method:PUTOrigin:hjp://server1 .ajax(.)ServiceAccess- ‐Control- ‐Allow- 3
ller{//actions.}@leastprivilege44
Authoriza9onCodeFlow(Server- rResourceOwner@leastprivilege45
horiza9onServerGET/authorize?client id webapp&scope read&redirect uri https://webapp/cb&response type code&state 123ResourceOwner@leastprivilege46
thoriza9onServerGET/cb?code xyz&state 123ResourceOwner@leastprivilege47
onServerPOST/tokenAuthorization:Basic(client id:secret)grant type authorization code&authorization code xyzResourceOwner@leastprivilege48
9onServer{"access token":"abc","expires in":"3600","token type":"Bearer","refresh token":"xyz"}ResourceOwner@leastprivilege49
erverGET/resourceAuthorization:Beareraccess tokenResourceOwner@leastprivilege50
POST/tokenAuthorization:Basic(client id:secret)grant type refresh token&refresh token xyz@leastprivilege51
RefreshTokenManagement(Flickr)@leastprivilege52
RefreshTokenManagement(Dropbox)@leastprivilege53
e54
Summary–CodeFlow Designedfor"confidenNal"clients– clientcanstoresecretsecurely– 9typossible– typicallyserver- ‐basedapplica9ons Accountabilityisprovided– accesstokenneverleakedtothebrowser Long- ‐livedaccesscanbeimplemented@leastprivilege55
Summary HTTPhasaverysimplesecuritymodel CorrecthandlingofSSLisparamount Same- ‐vsCross- ‐OriginapplicaNons ThinkaboutCSRF,CORS Tokenbased(andthuscookie- ‐less)authenNcaNonisthewaytogo– separateclientfromAPI– embeddedauthoriza9onserver– e56
OWIN%Host Bearer%MW Application Authorization Server%MW. @leastprivilege" 26 Step"1a:"Token"Request Resource"Owner" Client Authorizaon"Server" POST/token!Authorization:Basic( client_id:secret)! grant_type password& scope resource& use
Detailed instructions on getting asp.net-identity set up or installed. ASP.NET Identity Basic information ASP.NET identity is a membership management system which allows a user to register and login into a web application. ASP.NET identity system can be used in entire ASP.NET framework, like ASP.NET MVC, Web Forms, Web Pages, Web API and SignalR.
What and Why ASP.NET Web API ? 2 To add Web API to an existing MVC application. 2 Chapter 2: ASP.NET Web API Content Negotiation 4 Examples 4 ASP.NET Web API Content Negotiation Basic Information 4 Content Negotiation in Web API 5 Understanding the concept 5 A practical example 6 How to configure in Web API 6 Chapter 3: ASP.NET WEB API CORS .
ASP.NET Core and Web APIs (Business/SAS web services) Overview ASP.NET Core MVC is a web framework that provides a powerful, patterns-based way to build dynamic websites and web APIs. ASP.NET Core MVC enables a clean separation of concerns and full control over markup.1 Why Use it Traditionally, ASP.NET has used IIS.
Changes in Oracle Providers for ASP.NET in ODAC 12c Release 4 xiv Changes in Oracle Providers for ASP.NET Release 11.2.0.2 xiv Changes in Oracle Providers for ASP.NET Release 11.2.0.1.2 xv 1 Introduction to Oracle Providers for ASP.NET 1.4 Connecting to Oracle Database Cloud Service 1-1 1.1 Overview of Oracle Providers for ASP.NET 1-1 1.2 Oracle Providers for ASP.NET Assembly 1-4 1.3 System .
ASP powder metallurgy HSS HSSconventional metallurgy ASP 2004 ASP 2015 ASP 2023 ASP 2030 ASP 2052 ASP 2055 What is broaching? Broaching can be both internal or external. Internal broaches generally create complex shapes of holes in the centre of tools such as non-circular holes, internal splines, keyways and flat surfaces.
Asp.Net's Web API2 is the latest version of Web API. It is an easy way to implement a RESTful web service using all of the goodness that the Asp.Net framework provides. Once you understand the basic principles of REST, then a Asp.net Web API2 will be very easy to implement. Web API2 is built on Asp.Net's modular, pluggable pipeline model.
Over the years, Microsoft has introduced new ASP.NET-based web frameworks to address web development trends. Some such web frameworks include ASP.NET MVC, ASP.NET Web Pages, and more recently ASP.NET Core. With each new framework, some have predicted the imminent decline of ASP.NET Web Forms and criticized it as an outdated, outmoded web framework.
SDD-1 is a distributed database system developed by the Computer Corporation of America [23]. SDD-1 permits a relational database to be distributed among the sites of a computer network, yet accessed as if it were stored at a single site. Users interact with SDD-1 by submitting queries coded in a high-level procedural
