[Owasp-leaders] REST Security - HELP!

Gunnar Peterson gunnar at arctecgroup.net
Mon Nov 26 17:54:25 UTC 2012


Some comments:

1. Authentication and Session Management

OK:
	• http://example.com/resourceCollection/<id>/action
	• http://twitter.com/vanderaj/lists
NOT OK:
	• http://example.com/controller/<id>/action?apiKey=a53f435643de32


I think the above are all NOT OK, need TLS/SSL 

2. Protect Session State

Should mention that developers should implement some protection of local Client storage of token to mitigate replay

3. Related to above, because they are machine to machine apps,  many Web services have hard coded (and plaintext) credentials, this is a common occurrence so the cheatsheet should discuss avoiding it

4. Security standards. OAuth is worth discussing but also worth pointing out that it always must be used with TLS/SSL.

Likewise SAML is a good model to look at for REST specifically the SAML HTTP Redirect Binding which is widely used on REST Web services and can close a number of the more difficult issues in REST access control (signature, timestamp, nonce)

http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language#SAML_2.0_bindings

To implement this the client needs to handle the redirect from the Service provider to the identity provider

-gunnar



On Nov 26, 2012, at 6:03 AM, vanderaj vanderaj wrote:

> I've given it a jolly good update. Please check it out.
> 
> Improvements welcome.
> 
> thanks,
> Andrew
> 
> On Mon, Nov 26, 2012 at 8:29 PM, Erlend Oftedal <Erlend.Oftedal at bekk.no> wrote:
>> I've added quite a few bits to it now.
>> 
>> Best regards,
>> Erlend oftedal
>> 
>> 
>> ________________________________________
>> Fra: owasp-leaders-bounces at lists.owasp.org [owasp-leaders-bounces at lists.owasp.org] på vegne av Jim Manico [jim.manico at owasp.org]
>> Sendt: 26. november 2012 00:19
>> To: vanderaj vanderaj
>> Cc: owasp-leaders at lists.owasp.org
>> Emne: Re: [Owasp-leaders] REST Security - HELP!
>> 
>>> I will take this on, as it's relevant to my interests ... today :)
>> 
>> So does that mean you will have it done today, Andrew?
>> 
>> *wink*
>> 
>> Thanks for your help. :)
>> 
>> Aloha,
>> Jim
>> 
>> 
>>> I will take this on, as it's relevant to my interests ... today :)
>>> 
>>> thanks
>>> Andrew
>>> 
>>> On Mon, Nov 26, 2012 at 10:05 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>>> Leaders,
>>>> 
>>>> Go Google "REST Security" and the OWASP Cheat Sheet on REST security pops up
>>>> first. Unfortunately this cheat sheet is very minimal and in DRAFT mode!
>>>> 
>>>> https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
>>>> 
>>>> Help!
>>>> 
>>>> Does anyone with a solid understanding of REST Security from a defense point
>>>> of view care to jump in and help complete this cheat sheet on REST Security?
>>>> 
>>>> This does NOT have to be a comprehensive guide, just a "cheat" that
>>>> describes the most important defenses.
>>>> 
>>>> Thanks all,
>>>> 
>>>> Jim Manico
>>>> @Manicode
>>>> OWASP Volunteer
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 



More information about the OWASP-Leaders mailing list