This document discusses API security best practices. It recommends requiring authentication for APIs and responding only with minimal necessary information to prevent unintended disclosure. It also covers common attacks like denial of service, SQL injection, and predictable resource locations. The document advocates having knowledge of threats and using prevention techniques like throttling, input validation, and UUIDs for resources rather than integers.

1. Enlighten your software
¿API primero? Seguridad primero:
lo que necesitas saber para crear APIs seguras
Fernando Perales

2. <me>

3. Fernando Perales
Software Engineer @ Crowd Interactive
FLOSS Advocate
/(.*) metal and 🍺 lover/
Passionate about web development and lean
startup

4. 
FerPeralesM

5. 
FerPerales

6. </me>

7. Why an
API?

8. http://www.apiacademy.co/sites/default/files/Web-APIs-v5_0.png

9. API first

10. When to not
API first

11. Extracted
from
monolithic

12. Going
mobile

13. Public
API

14. Decisions

15. Technology

16. SOAP vs REST

17. XML vs JSON

18. Let's go
for...

19. REST +
JSON

20. REST

21. Roy
Fielding

22. “REST's client–server
separation of concerns
simplifies component
implementation, reduces the
complexity of connector
semantics, improves the
effectiveness of performance
tuning, and increases the
scalability of pure server
components.”

23. Architectural
constraints

24. Client-server

25. https://en.wikipedia.org/wiki/Client%E2%80%93server_model#/media/File:Client-server-model.svg

26. Stateless

27. Cacheable

28. Layered
system

29. Code on
demand
(optional)

30. Uniform
interface

33. REST is an
architectural
style, not an
standard

34. Considerations
for APIs
(and pretty much, every system)

35. Correctness

36. Performance

37. Reliability

38. Robustness

39. Scalability

40. Security

41. Security

42. Security

48. Why should
I care?

49. Common
misperceptions

50. I'm not
a big company

51. Nobody will
care about my
data

52. My API is not
public

53. I didn't
know

54. Ignorantia juris
non excusat

55. owasp.org

56. Let's
start

57. Know what you are
fighting

58. http://fc04.deviantart.net/fs71/i/2013/107/9/5/it_s_dangerous_to_go_alone_by_michaelmayne-d621qgq.png

59. OWASP WASC Web
Hacking Incidents
Database Project

64. Denial of Service

65. An attempt to make a
machine or network resource
unavailable to its intended
users.
https://en.wikipedia.org/wiki/Denial-of-service_attack

67. Can be from
malicious
users

68. Or legit users
trying to take
advantage

70. How to deal
With?

71. Throttle / limit
request

73. Rack::Attack

74. 
kickstarter/rack-attack

77. Return: HTTP
code 429

79. How to test?

80. Apache
Benchmark

81. httpd.apache.org/docs/
2.2/programs/ab.html

82. ab -c 5 -n 100 http://127.0.0.1:3000/login

83. SQL
injections

84. SQL injection is a code injection
technique, used to attack data-
driven applications, in which
malicious SQL statements are
inserted into an entry field for
execution
https://en.wikipedia.org/wiki/SQL_injection

85. http://example.com/
api/v1/user/123

86. “SELECT * FROM
users WHERE userID='”
+ user_id +”‘”;

87. “SELECT * FROM
users WHERE usetID =
‘123’”

88. Consider this:

89. http://example.com/
api/v1/user/’%20or
%20’1’=’1

90. SELECT * FROM
users WHERE
userID = ‘’ or ‘1’ = ‘1’

91. Predictable
Resource
location

92. An attack technique used to uncover
hidden web site content and
functionality. By making educated
guesses, the attack is a brute force
search looking for content that is not
intended for public viewing.
http://www.infosecpro.com/applicationsecurity/a54.htm

93. example.com/v1/users/1

94. example.com/v1/users/1

95. UUID

96. example.com/v1/users/1

97. example.com/v1/users/
de305d54-75b4-431b-
adb2-eb6b9e546014

98. Who does
this?

100. Charges:
ch_16KD5K2eZvKYlo2
Cm5vtG9HJ

101. Cards:
card_16KD5F2eZvKYlo
2CzRqSKsIR

102. Transactions:
txn_16Hn2s2eZvKYlo2
CSKkdbSPq

103. Unintended
disclosure of
information

104. Letting unauthorized users to
access information they shouldn't

105. It has happened to

106. me �

107. and many
others

108. How to deal
with this?

109. Apply
authentication
to your API as
well

110. And respond
with the
minimal
information
needed

111. Protip:

112. API interactions
from client to
server are still user
input

113. This
happened
to

115. Several
times...

117. NOTE: Does not work anymore

119. Meet Charles

122. Charles can be used as a man-in-
the-middle HTTPS proxy, enabling
you to view in plain text the
communication between web
browser and SSL web server.

123. �

125. (._. U)

126. Wrapping up

127. Requirements

128. Knowledge

129. Prevention

130. Monitoring

131. Awareness

132. Questions?

133. Thanks!
 me@ferperales.net
 FerPeralesM