如何保护 public API(无凭据)不被利用?
How to protect public APIs (no credentials) from being exploited?
这更像是一个一般性问题,但是保护注册过程中使用的 APIs 的推荐方法是什么?假设有这些 public APIs(不需要用户凭证,只有 API KEY);
- find_person(关于尝试注册的人的数据),returns 如果这个人已经存在或不存在(不需要用户凭据并且没有返回敏感信息)。
- create_person(有关尝试注册的人的数据),将此人创建到系统中(无需用户凭据)
我们可以让“匿名”用户拥有短暂的 JWT 令牌吗?例如,SPA Web 应用程序或移动应用程序如何才能安全地获取“每会话”匿名用户?
验证码在这种情况下真的有用吗?
我们已经在考虑:
- API 每个应用程序的 KEY(不是每个会话)
- 速率限制
- DDoS 服务保护 APIs
如有任何帮助,我们将不胜感激。
谢谢
短期 JWT 令牌
Can we have "anonymous" users that have a short-lived JWT token?
是的,您可以并且建议您甚至为已登录的用户执行此操作。查看 Auth0 博客 What Are Refresh Tokens and How to Use Them Securely:
This post will explore the concept of refresh tokens as defined by OAuth 2.0. We will learn how they compare to other token types and how they let us balance security, usability, and privacy.
为匿名用户或登录用户使用令牌的问题是他们只识别请求中的谁,而不是什么正在处理请求。
访问 API 服务器的 WHO 和 WHAT 的区别
我写了一系列关于API和移动安全的文章,在文章Why Does Your Mobile App Need An Api Key?中你可以详细阅读who和之间的区别什么 正在访问您的 API 服务器,但我将在这里提取主要内容:
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
因此,考虑 who 作为用户(匿名或登录)您的 API 服务器将能够验证和授权对数据的访问,并认为关于 what 作为代表用户提出请求的软件。
您可能的解决方案
We are already considering:
- API KEY for every application (not per session)
- Rate limiting
- DDoS services to protect the APIs
这是任何 API 都应该实施的基本安全措施,但是在向 API 服务器高度信任请求确实来自 它所期望的,您的应用程序的真实且未被篡改的版本。
您可以在我的文章中阅读更多内容 The Top 6 Mobile API Protection Techniques - Are They Enough?:
In this article we will explore the most common techniques used to protect an API, including how important it is to use HTTPS to protect the communication channel between mobile app and API, how API keys are used to identify the mobile app on each API request, how user agents, captchas and IP addresses are used for bot mitigation, and finally how user authentication is important for the mobile security and api security. We will discuss each of these techniques and discuss how they impact the business risk profile, i.e. how easy they are get around.
The reader will come to understand why today’s commonly used mobile API protection techniques are very naive and not fit for purpose to defend digital businesses against API abuse. API abuse is its various forms is much more commonplace that most businesses realize so it is important to employ the right techniques to maintain revenue and brand reputation.
其他可能的解决方案
For example, how can the SPA Web application or Mobile application securely obtain a "per-session" anonymous user?
使用网络应用程序,只需使用浏览器上的开发人员工具,就可以很容易地自省并查看 API 请求及其响应。
对于移动应用程序,它需要做更多的工作,但是存在大量的开源工具可以使它变得简单,并且在某些情况下微不足道,甚至非开发人员也可以做到这一点,从而使保护 API 服务器很难,但并非不可能。
因此,网络和移动设备的工作方式完全不同,保护它们的方法也会有所不同。
对于网络应用程序
Are Captchas actually helpful in this scenario?
Captcha 给你一个分数,告诉你请求中的 可能是真人。在最好的分数下,它不能高度自信地保证 what 正在执行请求确实是 what 您的 API 服务器期望的,您的网络或移动应用程序的真实且未被篡改的版本。
要学习一些有用的技术来帮助您的 API 后端尝试仅响应来自 您所期望的 的请求,您可以阅读my answer 问题 保护 api 来自应用外调用的数据,尤其是专门用于保护 API 服务器的部分。
对于移动应用程序
It's more of a general question, but What is the recommended way to protect APIs used in SIGN UP processes?
尽管不是专门针对注册过程的,但我还是建议您阅读 我提出的问题 如何保护移动应用程序的 API REST?,尤其是加固和屏蔽移动应用程序、保护API服务器和可能更好的部分解决方案.
根据该答案,可以采用的更好方法是使用移动应用证明解决方案,使 API 服务器知道仅接收来自 what[=105= 的请求] 它期望您的移动应用程序是真实且未被篡改的版本。
您想加倍努力吗?
在任何对安全问题的回答中,我总是喜欢引用 OWASP 基金会的出色工作。
对于APIS
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
对于移动应用程序
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
对于网络应用程序
The Web Security Testing Guide:
The OWASP Web Security Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.
这更像是一个一般性问题,但是保护注册过程中使用的 APIs 的推荐方法是什么?假设有这些 public APIs(不需要用户凭证,只有 API KEY);
- find_person(关于尝试注册的人的数据),returns 如果这个人已经存在或不存在(不需要用户凭据并且没有返回敏感信息)。
- create_person(有关尝试注册的人的数据),将此人创建到系统中(无需用户凭据)
我们可以让“匿名”用户拥有短暂的 JWT 令牌吗?例如,SPA Web 应用程序或移动应用程序如何才能安全地获取“每会话”匿名用户? 验证码在这种情况下真的有用吗?
我们已经在考虑:
- API 每个应用程序的 KEY(不是每个会话)
- 速率限制
- DDoS 服务保护 APIs
如有任何帮助,我们将不胜感激。
谢谢
短期 JWT 令牌
Can we have "anonymous" users that have a short-lived JWT token?
是的,您可以并且建议您甚至为已登录的用户执行此操作。查看 Auth0 博客 What Are Refresh Tokens and How to Use Them Securely:
This post will explore the concept of refresh tokens as defined by OAuth 2.0. We will learn how they compare to other token types and how they let us balance security, usability, and privacy.
为匿名用户或登录用户使用令牌的问题是他们只识别请求中的谁,而不是什么正在处理请求。
访问 API 服务器的 WHO 和 WHAT 的区别
我写了一系列关于API和移动安全的文章,在文章Why Does Your Mobile App Need An Api Key?中你可以详细阅读who和之间的区别什么 正在访问您的 API 服务器,但我将在这里提取主要内容:
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
因此,考虑 who 作为用户(匿名或登录)您的 API 服务器将能够验证和授权对数据的访问,并认为关于 what 作为代表用户提出请求的软件。
您可能的解决方案
We are already considering:
- API KEY for every application (not per session)
- Rate limiting
- DDoS services to protect the APIs
这是任何 API 都应该实施的基本安全措施,但是在向 API 服务器高度信任请求确实来自 它所期望的,您的应用程序的真实且未被篡改的版本。
您可以在我的文章中阅读更多内容 The Top 6 Mobile API Protection Techniques - Are They Enough?:
In this article we will explore the most common techniques used to protect an API, including how important it is to use HTTPS to protect the communication channel between mobile app and API, how API keys are used to identify the mobile app on each API request, how user agents, captchas and IP addresses are used for bot mitigation, and finally how user authentication is important for the mobile security and api security. We will discuss each of these techniques and discuss how they impact the business risk profile, i.e. how easy they are get around.
The reader will come to understand why today’s commonly used mobile API protection techniques are very naive and not fit for purpose to defend digital businesses against API abuse. API abuse is its various forms is much more commonplace that most businesses realize so it is important to employ the right techniques to maintain revenue and brand reputation.
其他可能的解决方案
For example, how can the SPA Web application or Mobile application securely obtain a "per-session" anonymous user?
使用网络应用程序,只需使用浏览器上的开发人员工具,就可以很容易地自省并查看 API 请求及其响应。
对于移动应用程序,它需要做更多的工作,但是存在大量的开源工具可以使它变得简单,并且在某些情况下微不足道,甚至非开发人员也可以做到这一点,从而使保护 API 服务器很难,但并非不可能。
因此,网络和移动设备的工作方式完全不同,保护它们的方法也会有所不同。
对于网络应用程序
Are Captchas actually helpful in this scenario?
Captcha 给你一个分数,告诉你请求中的 可能是真人。在最好的分数下,它不能高度自信地保证 what 正在执行请求确实是 what 您的 API 服务器期望的,您的网络或移动应用程序的真实且未被篡改的版本。
要学习一些有用的技术来帮助您的 API 后端尝试仅响应来自 您所期望的 的请求,您可以阅读my answer 问题 保护 api 来自应用外调用的数据,尤其是专门用于保护 API 服务器的部分。
对于移动应用程序
It's more of a general question, but What is the recommended way to protect APIs used in SIGN UP processes?
尽管不是专门针对注册过程的,但我还是建议您阅读
根据该答案,可以采用的更好方法是使用移动应用证明解决方案,使 API 服务器知道仅接收来自 what[=105= 的请求] 它期望您的移动应用程序是真实且未被篡改的版本。
您想加倍努力吗?
在任何对安全问题的回答中,我总是喜欢引用 OWASP 基金会的出色工作。
对于APIS
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
对于移动应用程序
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
对于网络应用程序
The Web Security Testing Guide:
The OWASP Web Security Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.