SlideShare a Scribd company logo

Attack Surface Reduction for Web Services based on Authorization Patterns

Max Vogler
Max Vogler

During the design of a security architecture for a web application, the usage of security patterns can assist with fulfilling quality attributes, such as increasing reusability or safety. The attack surface is a common indicator for the safety of a web application, thus, reducing it is a problem during design. Today’s methods for attack surface reduction are not connected to security patterns and have an unknown impact on quality attributes, e.g., come with an undesirable trade-off in functionality. This talk introduces a systematic and deterministic method to reduce the attack surface of web services by deriving service interface methods from authorization patterns. Publication: http://www.thinkmind.org/index.php?view=article&articleid=securware_2014_9_10_30080 Authors: Roland Steinegger, Johannes Schäfer, Max Vogler, Sebastian Abeck

Internet
1 of 20
Download to read offline
Research Group Cooperation & Management, Institute of Telematics, Department of Informatics KIT – University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association www.kit.edu Attack Surface Reduction for Web Services based on Authorization Patterns Roland Steinegger, Johannes Schäfer, Max Vogler, Sebastian Abeck 20.11.2014 – SECURWARE 2014, Lisbon, Portugal
About the authors Roland Steinegger Johannes Schäfer Max Vogler Sebastian Abeck 2 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Outline Background Motivation Attack surface reduction 1. Set up Access Control Matrix 2. Derive Service Description 3. Create Web Service Comparison 3 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
Background Attack Surface Reduction for Web Services based on Authorization Patterns Attack Surface: Indicator for vulnerability towards external attacks [1] [2] Authorization Patterns Attribute-Based Access Control [3] Role-Based Access Control [4] 4 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
Background 5 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
Background User profile operations Guest Authenticated User Profile Owner Admin Register View profile Edit profile 6 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Motivation HTTP-PUT-Request to www.example.com/users/42 @RequestMapping(method = PUT, value = "users/{id}") @PreAuthorize("isOwnerOf(#id) || isAdmin()") public JSONObject update() { if(getCurrentUser().isAdmin()) { // Administrator is updating a user account } else { // Update the user's own profile, limited to allowed fields } 7 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns } 20.11.14
Motivation Problems with authorization logic Duplicated Hard to test Opaque for clients è Attack surface is increased Idea: Split up authorization logic Goals Reduce attack surface Use authorization patterns Keep functionality 8 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
Methodology Set up Access Control Matrix Derive Service Description Create Web Service 9 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
Set up Access Control Matrix List resources and operations Resource r User profile C R U D 10 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14 User profile operations Guest Authenticated User Profile Owner Admin Register View profile Edit profile
Set up Access Control Matrix 11 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns List attributes Resource r Subject s User profile C R U D Guest(s) Authenticated(s) Owner(s, r) Admin(s) 20.11.14 User profile operations Guest Authenticated User Profile Owner Admin Register View profile Edit profile
Set up Access Control Matrix Fill out access control matrix Resource r 12 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns Subject s User profile C R U D Guest(s) ● Authenticated(s) ● Owner(s, r) ● ● Admin(s) ● ● 20.11.14 User profile operations Guest Authenticated User Profile Owner Admin Register View profile Edit profile
Derive Service Description User service CreateIfGuest ReadIfAuthenticated ReadIfOwner ReadIfAdmin UpdateIfOwner UpdateIfAdmin Resource r Split up operations è Improved testability, reduced attack surface 13 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns Subject s User profile C R U D Guest(s) ● Authenticated(s) ● Owner(s, r) ● ● Admin(s) ● ● 20.11.14
Create Web Service User service Method URL Query parameters CreateIfGuest ReadIfAuthenticated ReadIfOwner ReadIfAdmin UpdateIfOwner UpdateIfAdmin 14 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Create Web Service User service Method URL Query parameters CreateIfGuest POST /users ?auth=Guest ReadIfAuthenticated GET /users ?auth=Authenticated ReadIfOwner GET /users ?auth=Owner ReadIfAdmin GET /users ?auth=Admin UpdateIfOwner PUT /users/{id} ?auth=Owner UpdateIfAdmin PUT /users/{id} ?auth=Admin 15 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14 Client chooses authorization level actively è Improved transparency, reduced attack surface
Create Web Service @Controller public class UserController { HTTP-PUT-Request to www.example.com/users/42?auth=Owner @RequestMapping(method = PUT, value = "users/{id}", params="auth=Owner") @PreAuthorize("isOwnerOf(#id)") public JSONObject updateIfOwner() { /* ... */ } HTTP-PUT-Request to www.example.com/users/42?auth=Admin @RequestMapping(method = PUT, value = "users/{id}", params="auth=Admin") @PreAuthorize("isAdmin()") public JSONObject updateIfAdmin() { /* ... */ } 16 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Comparison // Don't do it like this! @RequestMapping(method = PUT, value = "users/{id}") @PreAuthorize("isOwnerOf(#id) || isAdmin()") public JSONObject update() { // If is admin, allow editing all fields, if is owner, allow editing in a limited way } // Split up authorization like this: @RequestMapping(method = PUT, value = "users/{id}", params="auth=Owner") @PreAuthorize("isOwnerOf(#id)") public JSONObject updateIfOwner() { /* ... */ } @RequestMapping(method = PUT, value = "users/{id}", params="auth=Admin") @PreAuthorize("isAdmin()") public JSONObject updateIfAdmin() { /* ... */ } 17 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Set up Access Control Matrix Derive Service Description Create Web Service Comparison Traditional New public JSONObject update() public JSONObject updateIfOwner() public JSONObject updateIfAdmin() Opaque authorization logic Transparent authorization logic Duplicate authorization logic Partitioned authorization logic + Improved testability + Reduced attack surface – Difficulties with large number of similar roles 18 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
Thank you Max Vogler max.vogler@student.kit.edu 19 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
Sources R. Steinegger, J. Schäfer, M. Vogler, and S. Abeck, "Attack Surface Reduction for Web Services based on Authorization Patterns," In Proceedings of SECURWARE 2014 The Eighth International Conference on Emerging Security Information, Systems and Technologies, November 2014, pp. 194-201, ISBN 978-1-61208-376-6 [1] T. Heumann, J. Keller, and S. Türpe, “Quantifying the Attack Surface of a Web Application,” In Proceedings of Sicherheit 2010, vol. 170, 2010, pp. 305-316, ISBN: 978-3-88579-264-2 [2] M. Howard, “Attack Surface – Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users,” MSDN Magazine, November 2004. [Online]. Available from: http:// msdn.microsoft.com/en-us/magazine/cc163882.aspx [retrieved: 23.09.2014] [3] E. Yuan and J. Tong, “Attribute Based Access Control (ABAC) for Web Services,” in Proceedings of the International Conference on Web Services (ICWS), Jul. 2005, pp. 561–569, doi:10.1109/ICWS. 2005.25. [4] R. Steinegger, “Authentication and authorization patterns in existing security frameworks [Authentifizierungs- und Autorisierungsmuster in bestehenden Sicherheits-Frameworks],” diploma thesis, Karlsruhe Institute of Technology, Karlsruhe, Germany, 2012. German. 20 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns

Recommended

Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring Security
NexThoughts Technologies
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
Frank Kim
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2
Jonathan LeBlanc
 

Recommended

Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
OAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring SecurityOAuth2 Protocol with Grails Spring Security
OAuth2 Protocol with Grails Spring Security
NexThoughts Technologies
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
Frank Kim
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2
Jonathan LeBlanc
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Shreeraj Shah
 
User Authentication and Cloud Authorization in the Galaxy project: https://do...
User Authentication and Cloud Authorization in the Galaxy project: https://do...User Authentication and Cloud Authorization in the Galaxy project: https://do...
User Authentication and Cloud Authorization in the Galaxy project: https://do...
Vahid Jalili
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
anikristo
 
Pantallas escaneo Sitio Web
Pantallas escaneo Sitio WebPantallas escaneo Sitio Web
Pantallas escaneo Sitio Web
andres1422
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
Marakana Inc.
 
Authorization iii
Authorization iiiAuthorization iii
Authorization iii
sonia merchant
 
RIA services exposing & consuming queries
RIA services exposing & consuming queriesRIA services exposing & consuming queries
RIA services exposing & consuming queries
iedotnetug
 
Single Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingSingle Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud Computing
Rahul Roshan
 

More Related Content

What's hot

Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Shreeraj Shah
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 

What's hot (20)

Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
User Authentication and Cloud Authorization in the Galaxy project: https://do...
User Authentication and Cloud Authorization in the Galaxy project: https://do...User Authentication and Cloud Authorization in the Galaxy project: https://do...
User Authentication and Cloud Authorization in the Galaxy project: https://do...
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
Pantallas escaneo Sitio Web
Pantallas escaneo Sitio WebPantallas escaneo Sitio Web
Pantallas escaneo Sitio Web
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Authorization iii
Authorization iiiAuthorization iii
Authorization iii
 

Similar to Attack Surface Reduction for Web Services based on Authorization Patterns

Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Denied! Securing your Application with Better User Authorization
Denied! Securing your Application with Better User AuthorizationDenied! Securing your Application with Better User Authorization
Denied! Securing your Application with Better User Authorization
Brian Childress
 
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxChapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
ilhamilyas5
 
Jasigsakai12 columbia-customizes-cas
Jasigsakai12 columbia-customizes-casJasigsakai12 columbia-customizes-cas
Jasigsakai12 columbia-customizes-cas
ellentuck
 
A Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web ServicesA Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web Services
Rafael Brinhosa
 
Web 2.0 Tech Talk
Web 2.0 Tech TalkWeb 2.0 Tech Talk
Web 2.0 Tech Talk
pooyad
 

Similar to Attack Surface Reduction for Web Services based on Authorization Patterns (20)

RIA services exposing & consuming queries
RIA services exposing & consuming queriesRIA services exposing & consuming queries
RIA services exposing & consuming queries
 
Single Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingSingle Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud Computing
 
State management
State managementState management
State management
 
Introduction to CloudStack API
Introduction to CloudStack APIIntroduction to CloudStack API
Introduction to CloudStack API
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Denied! Securing your Application with Better User Authorization
Denied! Securing your Application with Better User AuthorizationDenied! Securing your Application with Better User Authorization
Denied! Securing your Application with Better User Authorization
 
MongoDB.local Berlin: App development in a Serverless World
MongoDB.local Berlin: App development in a Serverless WorldMongoDB.local Berlin: App development in a Serverless World
MongoDB.local Berlin: App development in a Serverless World
 
Understanding the Sitecore Architecture
Understanding the Sitecore ArchitectureUnderstanding the Sitecore Architecture
Understanding the Sitecore Architecture
 
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxChapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
 
Dot net training bangalore
Dot net training bangaloreDot net training bangalore
Dot net training bangalore
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
 
Jasigsakai12 columbia-customizes-cas
Jasigsakai12 columbia-customizes-casJasigsakai12 columbia-customizes-cas
Jasigsakai12 columbia-customizes-cas
 
A Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web ServicesA Validation Model of Data Input for Web Services
A Validation Model of Data Input for Web Services
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDB
 
Web Mining
Web Mining Web Mining
Web Mining
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshop
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
 
Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101
 
Web 2.0 Tech Talk
Web 2.0 Tech TalkWeb 2.0 Tech Talk
Web 2.0 Tech Talk
 

Recently uploaded

一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
Fi
 
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
AS
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
SS
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
AS
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
Fir
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
musaddumba454
 
一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书
A
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
AS
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
AS
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
AS
 
原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样
A
 
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
Fi
 

Recently uploaded (20)

Lowongan Kerja LC Yogyakarta Terbaru 085746015303
Lowongan Kerja LC Yogyakarta Terbaru 085746015303Lowongan Kerja LC Yogyakarta Terbaru 085746015303
Lowongan Kerja LC Yogyakarta Terbaru 085746015303
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
 
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdf
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
 
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic ManagementBeyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
 
一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书一比一定制美国罗格斯大学毕业证学位证书
一比一定制美国罗格斯大学毕业证学位证书
 
Free scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsFree scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirts
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirt
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays SweatshirtsFree on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
 
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
 
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookTOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
 
原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样
 
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
 

Attack Surface Reduction for Web Services based on Authorization Patterns

  • 1. Research Group Cooperation & Management, Institute of Telematics, Department of Informatics KIT – University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association www.kit.edu Attack Surface Reduction for Web Services based on Authorization Patterns Roland Steinegger, Johannes Schäfer, Max Vogler, Sebastian Abeck 20.11.2014 – SECURWARE 2014, Lisbon, Portugal
  • 2. About the authors Roland Steinegger Johannes Schäfer Max Vogler Sebastian Abeck 2 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
  • 3. Outline Background Motivation Attack surface reduction 1. Set up Access Control Matrix 2. Derive Service Description 3. Create Web Service Comparison 3 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
  • 4. Background Attack Surface Reduction for Web Services based on Authorization Patterns Attack Surface: Indicator for vulnerability towards external attacks [1] [2] Authorization Patterns Attribute-Based Access Control [3] Role-Based Access Control [4] 4 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
  • 5. Background 5 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
  • 6. Background User profile operations Guest Authenticated User Profile Owner Admin Register View profile Edit profile 6 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
  • 7. Motivation HTTP-PUT-Request to www.example.com/users/42 @RequestMapping(method = PUT, value = "users/{id}") @PreAuthorize("isOwnerOf(#id) || isAdmin()") public JSONObject update() { if(getCurrentUser().isAdmin()) { // Administrator is updating a user account } else { // Update the user's own profile, limited to allowed fields } 7 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns } 20.11.14
  • 8. Motivation Problems with authorization logic Duplicated Hard to test Opaque for clients è Attack surface is increased Idea: Split up authorization logic Goals Reduce attack surface Use authorization patterns Keep functionality 8 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
  • 9. Methodology Set up Access Control Matrix Derive Service Description Create Web Service 9 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
  • 10. Set up Access Control Matrix List resources and operations Resource r User profile C R U D 10 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14 User profile operations Guest Authenticated User Profile Owner Admin Register View profile Edit profile
  • 11. Set up Access Control Matrix 11 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns List attributes Resource r Subject s User profile C R U D Guest(s) Authenticated(s) Owner(s, r) Admin(s) 20.11.14 User profile operations Guest Authenticated User Profile Owner Admin Register View profile Edit profile
  • 12. Set up Access Control Matrix Fill out access control matrix Resource r 12 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns Subject s User profile C R U D Guest(s) ● Authenticated(s) ● Owner(s, r) ● ● Admin(s) ● ● 20.11.14 User profile operations Guest Authenticated User Profile Owner Admin Register View profile Edit profile
  • 13. Derive Service Description User service CreateIfGuest ReadIfAuthenticated ReadIfOwner ReadIfAdmin UpdateIfOwner UpdateIfAdmin Resource r Split up operations è Improved testability, reduced attack surface 13 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns Subject s User profile C R U D Guest(s) ● Authenticated(s) ● Owner(s, r) ● ● Admin(s) ● ● 20.11.14
  • 14. Create Web Service User service Method URL Query parameters CreateIfGuest ReadIfAuthenticated ReadIfOwner ReadIfAdmin UpdateIfOwner UpdateIfAdmin 14 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
  • 15. Create Web Service User service Method URL Query parameters CreateIfGuest POST /users ?auth=Guest ReadIfAuthenticated GET /users ?auth=Authenticated ReadIfOwner GET /users ?auth=Owner ReadIfAdmin GET /users ?auth=Admin UpdateIfOwner PUT /users/{id} ?auth=Owner UpdateIfAdmin PUT /users/{id} ?auth=Admin 15 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14 Client chooses authorization level actively è Improved transparency, reduced attack surface
  • 16. Create Web Service @Controller public class UserController { HTTP-PUT-Request to www.example.com/users/42?auth=Owner @RequestMapping(method = PUT, value = "users/{id}", params="auth=Owner") @PreAuthorize("isOwnerOf(#id)") public JSONObject updateIfOwner() { /* ... */ } HTTP-PUT-Request to www.example.com/users/42?auth=Admin @RequestMapping(method = PUT, value = "users/{id}", params="auth=Admin") @PreAuthorize("isAdmin()") public JSONObject updateIfAdmin() { /* ... */ } 16 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
  • 17. Comparison // Don't do it like this! @RequestMapping(method = PUT, value = "users/{id}") @PreAuthorize("isOwnerOf(#id) || isAdmin()") public JSONObject update() { // If is admin, allow editing all fields, if is owner, allow editing in a limited way } // Split up authorization like this: @RequestMapping(method = PUT, value = "users/{id}", params="auth=Owner") @PreAuthorize("isOwnerOf(#id)") public JSONObject updateIfOwner() { /* ... */ } @RequestMapping(method = PUT, value = "users/{id}", params="auth=Admin") @PreAuthorize("isAdmin()") public JSONObject updateIfAdmin() { /* ... */ } 17 Max Vogler Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
  • 18. Set up Access Control Matrix Derive Service Description Create Web Service Comparison Traditional New public JSONObject update() public JSONObject updateIfOwner() public JSONObject updateIfAdmin() Opaque authorization logic Transparent authorization logic Duplicate authorization logic Partitioned authorization logic + Improved testability + Reduced attack surface – Difficulties with large number of similar roles 18 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
  • 19. Thank you Max Vogler max.vogler@student.kit.edu 19 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
  • 20. Sources R. Steinegger, J. Schäfer, M. Vogler, and S. Abeck, "Attack Surface Reduction for Web Services based on Authorization Patterns," In Proceedings of SECURWARE 2014 The Eighth International Conference on Emerging Security Information, Systems and Technologies, November 2014, pp. 194-201, ISBN 978-1-61208-376-6 [1] T. Heumann, J. Keller, and S. Türpe, “Quantifying the Attack Surface of a Web Application,” In Proceedings of Sicherheit 2010, vol. 170, 2010, pp. 305-316, ISBN: 978-3-88579-264-2 [2] M. Howard, “Attack Surface – Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users,” MSDN Magazine, November 2004. [Online]. Available from: http:// msdn.microsoft.com/en-us/magazine/cc163882.aspx [retrieved: 23.09.2014] [3] E. Yuan and J. Tong, “Attribute Based Access Control (ABAC) for Web Services,” in Proceedings of the International Conference on Web Services (ICWS), Jul. 2005, pp. 561–569, doi:10.1109/ICWS. 2005.25. [4] R. Steinegger, “Authentication and authorization patterns in existing security frameworks [Authentifizierungs- und Autorisierungsmuster in bestehenden Sicherheits-Frameworks],” diploma thesis, Karlsruhe Institute of Technology, Karlsruhe, Germany, 2012. German. 20 Max Vogler 20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns