Posted on

API Security Weekly: Issue 173

This week, we have news of the eye-opening vulnerability on the Coinbase platform which netted $250,000 in bug bounty. There’s also an excellent guide on best practices for authentication and authorization for REST APIs, an article on the growth of bad bots and how to mitigate against them, and a fun read from APIHandyman on how to hack the Elgato Key light API.

Vulnerability: Coinbase API Bug Allowed Unlimited Cryptocurrency Trading

This week’s major news story has been the disclosure of a major vulnerability in an API on Coinbase, a cryptocurrency trading platform. This vulnerability potentially allowed an attacker to make unlimited cryptocurrency trades between different currency accounts.

Posted on

OAuth 2.0 and OIDC Fundamentals for Authentication and Authorization

OAuth 2.0 is an industry standard for “delegated authorization” which is the ability to provide an application or client access to data or features offered by another app or service. OAuth 2.0 focuses on authorization and is not prescriptive about authentication. OpenID Connect (OIDC) adds a standards-based authentication layer on top of OAuth 2.0.

In this post, we will cover the fundamentals of OAuth 2.0 and OIDC for authentication and authorization. I will discuss two common flows, namely the Implicit Flow and the Authorization Code Flow.

Posted on

Sureness: Focusing on the Protection of REST API

Background   

Hi guys! In the mainstream web architecture, protecting the REST API provided by the back-end through effective and fast authentication has become particularly important.    

For existing frameworks, whether it is apache shiro which does not natively support rest or deeply bound spring of spring security is not our ideal framework.

Posted on

Magic Authentication and Authorisation

Magic was created to solve all the repetitive problems I experience in my day job. One of these problems happens to be authentication and authorisation, which is a problem you have to solve every time you create a new application. At this point some might argue that OAuth2 solves these problems, and while technically that is true, OAuth2 is also ridiculously complex and over engineered, and very easy to get wrong. And of course if you get your app's auth parts wrong, you might as well not have auth at all, since it exposes your apps for adversaries doing whatever they want to do with your app. Authorisation is one of those things together with cryptography you really should not solve yourself, unless you really know what you're doing. Watch the following video for a walkthrough of how the auth parts in Magic works.

User administration

As you can see in the above video, Magic contains a million parts helping you out with your authentication and authorisation requirements, such as the ability to lock users, implement double optin registrations, having users confirm their email address before being accepted into your site, resetting passwords, etc. In addition of course, the coolest parts is that the Magic Dashboard also contains high level UI components, allowing you to easily administrate your user database, such as illustrated below.

Posted on

Authorization Technology is the Future of Collaboration

Back in the day, security was built around the principle that the people who work for the organization are the good guys that we give access to, while everyone outside the organization are the bad guys we need to keep out.

Well, two things have radically changed since then.

Posted on

Architectural Approaches To Authorization in Server Applications: Activity-Based Access Control Framework

This article is about security. I’ll focus on this in the context of web applications, but I’ll also touch on other types of applications. Before I describe approaches and frameworks, I want to tell you a story.

Background

Throughout my years working in the IT sphere, I’ve had the opportunity to work on projects in a variety of fields. Even though the process of authenticating requirements remained relatively consistent, methods of implementing the authorization mechanism tended to be quite different from project to project. Authorization had to be written practically from scratch for the specific goals of each project; we had to develop an architectural solution, then modify it with changing requirements, test it, etc. All of this was considered a common process that developers could not avoid. Every time someone implemented a new architectural approach, we felt more and more that we should come up with a general approach that would cover the main authorization tasks and (most importantly) could be reused on other applications. This article takes a look at a generalized architectural approach to authorization based on an example of a developed framework.

Posted on

Couchbase Support for Node-to-node Encryption

When customers using Couchbase require us to comply with privacy regulations such as HIPAA (financial or healthcare customers as an example), then we typically need to allow for Authentication(LDAP), Authorization (RBAC-role based access control), and Encryption. It is also important to support auditing and redaction of important information, especially in logs (Couchbase has support for log redaction using specific tags), all of which Couchbase supports. When it comes to encryption, Couchbase supports node to node encryption at multiple levels using the cluster configuration level setting. This is controlled by the user and can take 3 values:

  1. Control: At this level, only the cluster and server connections to internal services are encrypted. This basically includes the cluster management information and the related internal processes. However, data across nodes in the cluster is not. So, for example, a server to query service connection is encrypted. This is the default behaviour. 

Posted on

Identity and Access Management

Given the rise in identity-focused breaches and the continuously growing number of identities, identity and access management (IAM) has emerged as a cornerstone for safeguarding enterprise systems. By orchestrating secure authorization and authentication, IAM serves as the digital gatekeeper, granting controlled access to diverse resources — from on-premises databases to cloud-based applications. In this Refcard, we delve deep into IAM's crucial role in modern cybersecurity. We outline the primary functions and principles that underpin IAM, highlight its significance, address common challenges faced by engineering teams, and focus on the core practices.
Posted on

How to Spot Vulnerabilities of Custom SAML Implementations Before They Happen

SAML (Security Assertion Markup Language) is often prone to vulnerabilities as an XML based markup language used to expedite identity checks for bigger applications. This article will go over the usual roadblocks developers might come in contact with when working with the custom SAML solutions, as well as looking into preventative measures for developers to take, stopping vulnerabilities before they happen.

Crash Course in SAML

SAML is used for exchanging authentication and authorization data between identity providers and service providers. One of the most common use cases for SAML is facilitating browser-based Single Sign-On (SSO).

Posted on

User Authentication With Amazon Cognito

Introduction

In this article, I will walk you through that what is Amazon Cognito service and how you can use this for your user management, authentication, and authorization. I will create a simple web application using AngularJS with login/sign-up functionality, and I will showcase how easy it is to make it full fledge application with all user management functions handled using Amazon Cognito.

Prerequisites

This article assumes that you have a basic understanding of web application development. This article doesn’t require you to have advanced skills in using Angular or AWS, but having familiarity with these technologies will help you to get most out of this. Here is a list of tools technologies I have used in this article. 

Posted on

Understanding the Need for JSON Web Token (JWT)

  • JWT stands for JSON Web Token
  • It is pronounced as JAWT
  • It is Open Standard — RFC7519
  • JWT makes it possible to communicate securely between two bodies
  • JWT is used for Authorization

Video

This tutorial is explained in the below Youtube Video.

Posted on

A Basic Introduction to XACML

What Is XACML?

XACML (eXtensible Access Control Markup Language) is an XML-based language for access control that has been standardized by the Technical Committee of the OASIS consortium. XACML is popular as a fine grain authorization method among the community. XACML describes both an access control policy language, request/response language and reference architecture. The policy language is used to express access control policies (who can do what when). The request/response language expresses queries about whether a particular access should be allowed (requests) and describes answers to those queries(responses). The reference architecture proposes a standard for deployment of necessary software modules within an infrastructure to allow efficient enforcement of policies.

XACML supports Attribute-Based Access Control (ABAC) and evaluation can be done with the additional data retrieved from Policy Information Point (PIP) which is defined by the XACML reference architecture.

Posted on

Secure Communication with Token-based RSocket

RSocket provides a message-driven communication mechanism, by using the reactive streaming framework, and supports most of the protocols (TCP/WebSocket/HTTP 1.1&HTTP 2). Furthermore, it’s program language-agnostic interaction models (REQUEST_RESPONSE/REQUEST_FNF/REQUEST_STREAM/REQUEST_CHANNEL) cover most communication scenarios, from the Microservices, API Gateway, and Sidecar Proxy, to the Message Queue.

Considering security for the communication, it's easy to use TLS-based and Token-based solution in RSocket-based productions. RSocket can reuse the TLS over the TCP or WebSocket directly, but to demonstrate the RBAC feature vividly, in this article, we only talk about the token-based implementation.