Anand Prakash
Facebook hack
- In 2016, Anand discovered a vulnerability in Facebook
- In Facebook you can reset your password using email or mobile phone
- A random code of 6 digits is sent to the email/phone
- You can try 10-12 time to insert this secret code
- After these attemps, Facebook blocks you
Facebook hack (2)
- Anand found that beta.facebook.com and mbasic.beta.facebook.com were missing the rate limit protection
- He was able to brute force the 6 digits code
- Anand received $15,000 from Facebook Bug Bounty program
From web application
To web API
Security implications
- A web API introduces more:
- Endpoints: more URLs to call
- Traffic: machine to machine
- Technologies: RPC, REST, SOAP, etc
- Formats: JSON, XML, etc
Defense layers
Logging & Monitoring
- Logging is foundamental for security (and not only)
- Monitoring is the only way to catch real-time threats, user access violations, and network anomalies
- Monitoring provides a method for forensic analysis in the event of a security breach
- Examples: Fluentd, Graylog, Logstash, Nagios, etc
GDPR
- Detecting data leakage and alert users and controllers
- Art. 33, Notification of a personal data breach to the supervisory authority
- Art. 34, Communication of a personal data breach to the data subject
TLS
- All the web APIs must use HTTPS (TLS)
- Let's Encrypt (open source):
- Domain Validation (DV)
- lifetime 90 day (automatic renew system)
- Paid certificates:
- DV, Organization Validation (OV), Extended Validation (EV)
- lifetime 1 yr and more
Authentication &
Access Control
Authorization
- Authentication is not enough. We need to know who you are!
- OAuth 2.0 provides access control using:
- scope: the subset of information or actions accessible by the key (token)
- validity: a key (token) doesn’t have to be purposely revoked by the system, it will automatically become deprecated in time
Broken Object Level Authorization
Example: nginx rate limit
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;
server {
location /login/ {
limit_req zone=mylimit;
proxy_pass http://my_upstream;
}
}
Source: Rate Limiting with NGINX and NGINX Plus
API gateway
Confidential
- Reduce the information to be exposed in API (especially for sensitive data)
- Under GDPR email addresses are considered confidential and must be used and stored within strict privacy and security guidelines
- Encrypt confidential data using standard algorithm (es. AES-GCM-256)
Encryption
- Use high level crypto libraries (es. libsodium)
- Avoid the usage of low level crypto libraries (es. OpenSSL)
- Many databases and storage services offer data encryption at rest (es. AWS S3)
Password
- Never store user password in plaintext
- Never store encrypted user password
- Use a password hashing algorithm: argon2
GDPR
- Responsibly store and process data according to risks
- Art. 32, Security of processing
- Art. 35, Data protection impact assessment