Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 1

REST web services Security

gaurav.gs.sharma@oracle.com

Gaurav Sharma, Principal Member Technical StaffOWSM – Oracle Web Services ManagerOctober 5th, 2015

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 2

Agenda• REST web services security• Need of Web Security• TLS/SSL - https• Basic Authentication• Token based authentication• Authorization• OWSM security policies for REST security• Security Vulnerabilities

gaurav.gs.sharma@oracle.com

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 3

REST /RESTful web services • Based on Representational State Transfer (REST)

architectural style • Lightweight alternative to mechanisms like RPC (Remote

Procedure Calls) and SOAP, very commonly used to create APIs for applications accessible over web/mobile.

• Uses HTTP as the underlying protocol• REST revolves around resources that are accessed by a

common interface using HTTP standard methods – GET/PUT/POST/DELETE

• REST offers no built-in security features, encryption, session management, QoS guarantees, etc.

gaurav.gs.sharma@oracle.com

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 4

Why we need Web Security ?• Online transactions – banking , credit card (travel,

shopping etc).

gaurav.gs.sharma@oracle.com

• Social identity – posting messages, friend requests, sharing pictures with selected friend circle.

• Avoid Spams (Unwanted email, viruses, adwares)

Internet is so easily accessible to anyone, it can be a dangerous place.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 5

Some high profile attacks • Ebay attack (2014) - personal records of 233 million

users. including usernames, passwords, phone numbers and physical addresses compromised.

gaurav.gs.sharma@oracle.com

• icloud attack (2014) – private pictures of USA celebrities were compromised.

• Gmail attack (2007) – filter redirected incoming emails to different address

• Twitter (2009) – allowed changing one’s status • ING (2008) – vulnerability attack that allowed transfer

of funds by creating fake accounts.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 6

Web Security ??

gaurav.gs.sharma@oracle.com

DMZ

Intranet

Internet

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 7

Security – at all layers

gaurav.gs.sharma@oracle.com

We will focus on REST services security

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 8

REST Services – Application perspective

gaurav.gs.sharma@oracle.com

Internet

DMZ

Intranet

Service1(REST)

Service n(REST)

Service 2(REST)

Front end/View

Middleware(SOA/OSB)

Database

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 9

REST security - aspects• Transport Layer security – securing the communication

channel ensuring confidentiality and integrity and ensuring service identification

gaurav.gs.sharma@oracle.com

Let’s deal with these

• Authentication and Authorization – Exposing REST services to authentic and authorized users/applications

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 10gaurav.gs.sharma@oracle.com

Internet REST service

http

Client

Confidentiality and Integrity - Anyone can see the data, modify it and send to service.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 11gaurav.gs.sharma@oracle.com

Internethttp

Client

Identification – no way to know if you are talking to authentic website.

REST service

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 12gaurav.gs.sharma@oracle.com

Internethttp

Client

Fraudservice

Identification – no way to know if you are talking to authentic website.

Web site itself might be fraud.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 13

Solution - > https - http over SSL

gaurav.gs.sharma@oracle.com

• URL’s beginning with https indicates that the connection is encrypted using SSL

• SSL uses certificates that are issued by a Certifying Authority (CA) such as verisign, Digicert.

• Certificates asserts the identity of web site provider e.g.

Facebook =

• Certificates also encrypts data that flows to and fro from the web site keeping it secure from outsiders.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 14gaurav.gs.sharma@oracle.com

Internet REST service

Client

https

https – ensures confidentiality, integrity and service identification

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 15

Authentication and Authorization

gaurav.gs.sharma@oracle.com

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 16gaurav.gs.sharma@oracle.com

Internet REST servicehttps

Security concern - no way to know if user dealing with service is authentic and authorized.

Add security to your service

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 17

Basic Authentication

gaurav.gs.sharma@oracle.com

• When you enable basic authentication the user is forced to prove her or his identity by entering a username and password.

• Client credentials are sent in a base 64 encoding in HTTP headers.

GET http://localhost/html5/ HTTP/1.1

Authorization: Basic bm86aXdvdWxkbnRkb3RoYXQh

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 18

Issues with Passwords/basic auth

gaurav.gs.sharma@oracle.com

Service1

Service 2

Service n

Password

Password

Password

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 19

Token based authentication – login once

gaurav.gs.sharma@oracle.com

Service 1

Service 2

Service n

Directory

Access Management

IdentityManagement

Token

Token

Token

Token

User/Password

Login Once

Trust

Services

• Several implementations exists - SAML, OAM token, OAuth2

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 20

Advantages of tokens• Stateless, easier to scale - token contains all the

information to identify the user, eliminating the need for the session state.

• Reusability - can have many separate servers, running on multiple platforms and domains, reusing the same token for authenticating the user.

• Mobile ready – integrate with mobile clients• Security – Protects against CORS and CSRF• Tokens work across different programming languages.

gaurav.gs.sharma@oracle.com

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 21

Token Based authorization - OAuth2• Useful in scenarios when another application access REST APIs

instead of actual user. e.g. travel app accessing REST APIs exposed by an airline service, YouTube accessing facebook APIs,

• End user may/may not exist.

gaurav.gs.sharma@oracle.com

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Is there any product for securing my REST services?

22

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 23

OWSM Agent to secure REST client/services

gaurav.gs.sharma@oracle.com

Internet

DMZ

Intranet

Service1

Service 2

Service n

Services

Front end/View

Middleware(SOA/OSB)

Database

Application

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

REST security using OWSM

24

• OWSM – de-facto standard for securing Web services within Oracle Fusion Middleware and Oracle Public cloud.

• Provides out of the box security policies for REST services and clients.

• Provides security policies for various use cases e.g. basic authentication, OAuth2, SAML etc.

• Avoids the need for developers to understand security specifications and security implementation details

• Monitor run time security events such as failed authentication or authorization.

• Global and direct policy attachment.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 25

OWSM – REST security policies

gaurav.gs.sharma@oracle.com

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 26

Example - Securing SOA REST service using OWSM security policies

gaurav.gs.sharma@oracle.com

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 27

You can choose the required security policies from the available pre defined policies

gaurav.gs.sharma@oracle.com

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 28

Security Vulnerabilities ?• XSS – cross site injection

gaurav.gs.sharma@oracle.com

• Denial of Service attack – attacker sends thousands of messages to the host server and bring its network down.

• CSRF – cross site request forgery

• Phishing• man in middle

• and many more• SQL Injection

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 29

How to deal with it ?

gaurav.gs.sharma@oracle.com

• Stay informed about existing vulnerabilities, stay updated about new vulnerabilities

• Build secure applications – use tools and standards to enforce and check for security holes

• OWASP - online community dedicated to web application security.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 30

Questions ??

gaurav.gs.sharma@oracle.com

Email : gauravsharma21@gmail.com blog: http://technotesgaurav.blogspot.in