When mentioning "information security", whether it is industry experts or the so-called "melon-eating masses", most common words such as "network security", "Web security", "software security" and "data security" will come to mind. The vast majority of security books on the market focus on these areas, but there are very few materials explaining information security from an API perspective, and few people analyze and mine security vulnerabilities from the perspective of the "interface" between software systems.
The initial applications of the API were basically on the local system. Today, API has become an important technical means for the integration of various software systems (especially large-scale Web systems). As Web API continues to gain popularity, corresponding protocols (such as SOAP) and framework specifications (REST) are also produced. These protocols or framework specifications are usually designed to use APIs to receive or send messages, ensuring that information and data can be shared between different systems or between different programming languages. With the endless emergence of front-end devices (such as mobile phones, tablets, desktop computers, etc.), there must be a unified mechanism to facilitate communication between different front-end devices and the back-end. This has made the API architecture popular, and the resulting security issues have become increasingly prominent.
When we actually got the English version of this book, we were very curious from what perspective the author could explain API security, because in our opinion, API security covers a wide range of topics, including encryption, authentication, authorization, injection attacks, cross-platform security, etc. Station request forgery, etc. Most of the books and materials on the market that can cover these contents are "to the point" and rarely "explain the profound things in a simple way".
Scan the code to learn ↑
The author of this book relies on his rich practical experience to enable us to see personally the weaknesses faced by API technology in current Web systems and all aspects that need to be defended. Moreover, as the reading progresses, more and more fascinating content is presented to us. The detailed explanation of the problem, the introduction of various security threats and prevention methods, especially the in-depth analysis of the latest defense system, all make us Benefited a lot.
Table of contents
Scroll up and down to view the catalog↓
Table of contents
Translator's Preface
Preface
Acknowledgments
About this book
About the author
Part 1 Basics
Chapter 1 What is API Security 2
1.1 An analogy: taking a driving license test 3
1.2 What is API 4
1.3 API security context 6
1.4 API security elements 10
1.4.1 Assets 11
1.4.2 Security objectives 11
1.4.3 Environment and Threat Model 13
1.5 Security Mechanism 15
1.5.1 Encryption 16
1.5.2 Identification and authentication 17
1.5.3 Access control and authorization 18
1.5.4 Audit log 19
1.5.5 Rate Limiting 20
Quiz Answers 21
Summary 21
Chapter 2 Secure API Development 22
2.1 Natter API 22
2.1.1 Natter API Overview 23
2.1.2 Function implementation overview 24
2.1.3 Setting items 25
2.1.4 Initializing the database 26
2.2 Develop REST API 28
2.3 Connecting to the REST terminal 31
2.4 Injection attack 33
2.4.1 Defense against injection attacks 37
2.4.2 Using permissions to mitigate SQL injection attacks 39
2.5 Input validation 40
2.6 Generating safe output 45
2.6.1 Using XSS attacks 47
2.6.2 Defense against XSS attacks 49
2.6.3 Implement protection 50
Quiz Answers 52
Summary 53
Chapter 3 Hardening Natter API 54
3.1 Use security controls to address threats 54
3.2 Rate limiting solves availability 55
3.3 Use authentication to protect against spoofing 61
3.3.1 HTTP Basic Authentication 62
3.3.2 Use Scrypt to ensure secure password storage 62
3.3.3 Creating a password database 63
3.3.4 Registering users in Natter API 64
3.3.5 Authenticating users 66
3.4 Use encryption to keep data private 68
3.4.1 Enabling HTTPS 70
3.4.2 Strengthening data transmission security 71
3.5 Using audit logs for accountability 72
3.6 Access control 77
3.6.1 Forced authentication 78
3.6.2 Access control list 79
3.6.3 Natter’s mandatory access control 81
3.6.4 Adding new members to Natter space 83
3.6.5 Avoid privilege escalation attacks 84
Quiz Answers 85
Summary 85
Part 2 Token-Based Authentication
Chapter 4 Session Cookie Verification 88
4.1 Web browser authentication 88
4.1.1 Calling the Natter API in JavaScript 89
4.1.2 Form submission interception 91
4.1.3 Providing same-origin HTML services 91
4.1.4 Disadvantages of HTTP authentication 94
4.2 Token-based authentication 95
4.2.1 Token storage abstraction 97
4.2.2 Implementation of token-based login 98
4.3 Session Cookie 100
4.3.1 Preventing session fixation attacks 103
4.3.2 Cookie security attributes 105
4.3.3 Verifying session cookies 107
4.4 Prevent cross-site request forgery attacks 109
4.4.1 SameSite Cookie 111
4.4.2 Double submission cookies based on hash calculation 113
4.4.3 Applying double-submit cookies in the Natter API 116
4.5 Building Natter login UI 121
4.6 Implementing logout 125
Quiz Answers 127
Summary 127
Chapter 5 The latest in token-based authentication 128
5.1 Use CORS to allow cross-domain requests 128
5.1.1 Preflight request 129
5.1.2 CORS header 131
5.1.3 Adding CORS headers to the Natter API 132
5.2 Tokens without cookies 135
5.2.1 Saving token status in the database 136
5.2.2 Bearer authentication scheme 141
5.2.3 Delete expired tokens 143
5.2.4 Storing tokens in web storage 143
5.2.5 Modify CORS filter 146
5.2.6 XSS attacks on web storage 147
5.3 Reinforce database token storage 149
5.3.1 Hashing database tokens 150
5.3.2 Using HMAC to verify tokens 151
5.3.3 Protecting sensitive attributes 156
Quiz Answers 158
Summary 159
Chapter 6 Self-Contained Tokens and JWT 160
6.1 Storing token status on the client side 160
6.2 JSON Web Tokens 163
6.2.1 Standard JWT declaration 165
6.2.2 JOSE header 166
6.2.3 Generate standard JWT 168
6.2.4 Verifying signed JWT 171
6.3 Encrypting sensitive attributes 172
6.3.1 Authenticated encryption 173
6.3.2 NaCl authentication encryption 175
6.3.3 Encrypting JWT 177
6.3.4 Using the JWT library 180
6.4 Use security types to strengthen API design 183
6.5 Handling token revocation 185
Quiz Answers 189
Summary 189
Part 3 Authorization
Chapter 7 OAuth2 and OpenID Connect 192
7.1 Scope tokens 193
7.1.1 Adding scope tokens in Natter 193
7.1.2 The difference between scope and permissions 197
7.2 Introduction to OAuth2 200
7.2.1 Client Type 201
7.2.2 Licensing 201
7.2.3 Discovering the OAuth2 terminal 203
7.3 Authorization code permission 204
7.3.1 Redirect URIs for different types of clients 208
7.3.2 Use PKCE to enhance the security of authorization code exchange 209
7.3.3 Refresh token 210
7.4 Verifying access tokens 211
7.4.1 Token introspection 212
7.4.2 Ensuring HTTPS client configuration security 217
7.4.3 Token revocation 219
7.4.4 JWT access token 221
7.4.5 Encrypting JWT access tokens 227
7.4.6 Let the AS decrypt the token 228
7.5 Single sign-on 229
7.6 OpenID Connect 230
7.6.1 ID token 231
7.6.2 Reinforce OIDC 232
7.6.3 Passing the ID token to the API 233
Quiz Answers 235
Summary 235
Chapter 8 Identity-Based Access Control 237
8.1 Users and Groups 237
8.2 Role-based access control 243
8.2.1 Role mapping permissions 244
8.2.2 Static roles 245
8.2.3 Determining user roles 247
8.2.4 Dynamic roles 248
8.3 Attribute-based access control 249
8.3.1 Combinatorial decision-making 251
8.3.2 Implementing ABAC strategy 252
8.3.3 Policy proxy and API gateway 256
8.3.4 Distributed Policy Enforcement and XACML 257
8.3.5 ABAC Best Practices 258
Quiz Answers 260
Summary 260
Chapter 9 Capability-Based Security and Macaroons 261
9.1 Capability-based security 261
9.2 Capabilities and REST API 263
9.2.1 Capability URI 265
9.2.2 Using capability URIs in the Natter API 268
9.2.3 HATEOAS 272
9.2.4 Browser client-based capability URI 276
9.2.5 Combination of capabilities and identity 278
9.2.6 Reinforcement capability URI 279
9.3 Macaroon: Token containing caveat 282
9.3.1 Context caveat 284
9.3.2 Macaroon Token Storage 285
9.3.3 First-party caveat 288
9.3.4 Third-party caveat 291
Quiz Answers 293
Summary 293
Part 4: Microservice API and service-to-service API security in Kubernetes
Chapter 10 Microservices API in Kubernetes 296
10.1 Microservices API on Kubernetes 297
10.2 Deploying Natter API on Kubernetes 300
10.2.1 Build H2 database as Docker container 301
10.2.2 Deploying the database to Kubernetes 305
10.2.3 Building the Natter API as a Docker container 309
10.2.4 Link Preview Microservice 313
10.2.5 Deploying new microservices 315
10.2.6 Call link preview microservice 317
10.2.7 Preventing SSRF attacks 320
10.2.8 DNS rebinding attack 325
10.3 Ensuring microservice communication security 327
10.3.1 Use TLS to ensure communication security 327
10.3.2 Using TLS Service Mesh 329
10.3.3 Locking network connections 333
10.4 Ensuring the security of input requests 335
Quiz Answers 339
Summary 339
Chapter 11 Service-to-Service API Security 340
11.1 API Keys and JWT Bearer Authentication 340
11.2 OAuth2 client credential permissions 342
11.3 JWT Bearer permission for OAuth2 345
11.3.1 Client verification 346
11.3.2 Generating JWT 349
11.3.3 Service Account Authentication 351
11.4 Mutual TLS verification 352
11.4.1 How TLS certificate authentication works 352
11.4.2 Client certificate verification 355
11.4.3 Verifying client identity 356
11.4.4 Using a service mesh 361
11.4.5 mTLS based on OAuth2 363
11.4.6 Certificate binding access token 364
11.5 Managing service credentials 368
11.5.1 Kubernets secret 369
11.5.2 Key and secret management services 373
11.5.3 Avoid saving long-lived secrets on disk 376
11.5.4 Deriving keys 377
11.6 Service API calls in response to user requests 381
11.6.1 phantom credential mode 381
11.6.2 OAuth2 token exchange 383
Quiz Answers 386
Summary 387
Part 5 API for IoT
Chapter 12 Internet of Things Communication Security 390
12.1 Transport layer security 391
12.1.1 Datagram TLS 392
12.1.2 Cipher suites for restricted devices 402
12.2 Pre-shared keys 407
12.2.1 Implementing a PSK server 408
12.2.2 PSK client 411
12.2.3 Support for original PSK cipher suites 412
12.2.4 PSK with forward secrecy 413
12.3 End-to-end security 415
12.3.1 THINGS 416
12.3.2 Alternatives to COSE 420
12.3.3 Anti-abuse authentication encryption 422
12.4 Key distribution and management 426
12.4.1 One-time key configuration 426
12.4.2 Key distribution server 427
12.4.3 Forward Secrecy Ratcheting Technology 428
12.4.4 Backward security 430
Quiz Answers 432
Summary 432
Chapter 13 IoT API Security 433
13.1 Device Verification 433
13.1.1 Identifying devices 433
13.1.2 Device Certificate 436
13.1.3 Transport layer verification 437
13.2 End-to-end verification 440
13.2.1 OSCORE 443
13.2.2 Avoid message replay in REST API 450
13.3 OAuth2 in restricted environments 455
13.3.1 Device Licensing 455
13.3.2 ACE-OAuth 459
13.4 Offline access control 460
13.4.1 Offline user authentication 460
13.4.2 Offline authorization 462
Quiz Answers 463
Summary 463
Appendix A Configuring Java and Maven 464
Appendix B Configuring Kubernets 473