防止不受信任的客户端使用 REST API 的登录/注册端点
[英]Prevent untrusted clients to use login/register endpoints of REST API
问题描述
I have actually one SPA in ReactJs + one mobile application in Flutter + one REST API developed with SailsJs running on a separate server. 
I have actually one SPA in ReactJs + one mobile application in Flutter + one REST API developed with SailsJs running on a separate server. I managed user authentication with a secured session cookie sent back by the API when we are login with valid information (id/password).当我们使用有效信息(ID/密码)登录时,我使用由 API 发回的安全 session cookie 管理用户身份验证。
So all the endpoints that require users to be authenticated are protected (unless there are others security best practices that I'm not aware of?).因此,所有需要对用户进行身份验证的端点都受到保护(除非还有其他我不知道的安全最佳实践?)。 The session cookie expiration and validity are checked with each call to one of the protected endpoints.每次调用受保护的端点之一都会检查 session cookie 的过期和有效性。
I really read a massive amount of topics and blog posts talking about securing REST API.我真的阅读了大量关于保护 REST API 的主题和博客文章。 And my problem is never or barely represented.我的问题从来没有或几乎没有出现过。 So now my main problem is:所以现在我的主要问题是:
How can I restrict my public API endpoints (login & register currently) that does not require users to be authenticated (since there are the endpoints used to achieve this mission...) to be used only in my trusted client apps (web and mobile)?如何限制我的公共 API 端点(当前登录和注册)不需要用户进行身份验证(因为有用于实现此任务的端点......)仅用于我受信任的客户端应用程序(Web 和移动)?
How can I prevent another app developed by another person to use these endpoints?如何防止其他人开发的另一个应用程序使用这些端点?
I don't want anyone to login via my API unless it is done in the client apps I am developing... I don't want anyone to replicate my applications and successfully use my API that way with 0 protection, without knowing it...我不希望任何人通过我的 API 登录,除非在我正在开发的客户端应用程序中完成... ..
I see a lot of popular services with login API routes (Heroku for example) that can't be accessed in Postman with the same parameters (403 error code).我看到很多使用登录 API 路由(例如 Heroku)的流行服务无法在 Postman 中使用相同的参数(403 错误代码)访问。 So it is possible.所以这是可能的。 But how they do that?但是他们是怎么做到的呢? There is nothing in specialized forums that handle this or I missed something!在专门的论坛中没有任何东西可以处理这个问题,或者我错过了一些东西!
I tough of a secret token stored in the client to authenticate it but it is literally public with web developer tools for example.我很难使用存储在客户端中的秘密令牌来对其进行身份验证,但它实际上是公开的,例如 web 开发人员工具。
Need some advice.需要一些建议。
Thanks谢谢
1 个解决方案
解决方案1
1 已采纳 2020-05-05 10:52:37
USER AUTHENTICATION IS NOT APP AUTHENTICATION用户身份验证不是应用身份验证
So all the endpoints that require users to be authenticated are protected...
This endpoints are only protected regarding to identify, authenticate and authorize Who his in the request, but not for What is doing the request, and this is a topic not very well understood among developers, be them juniors or seniors.此端点仅受保护以识别、验证和授权请求中的谁,而不是针对正在执行请求的内容,这是一个在开发人员中不太了解的主题,无论他们是初级还是高级。
The Difference Between WHO and WHAT is Accessing the API Server WHO和WHAT访问API服务器的区别
In an article I wrote, entitled Why Does Your Mobile App Need An Api Key?在我写的一篇文章中,题为为什么您的移动应用程序需要 Api 密钥? you can read with more detail the difference between Who and What is accessing your API server, from where I quote the following:您可以更详细地阅读谁和什么在访问您的 API 服务器之间的区别,我从中引用以下内容:
The what is the thing making the request to the API server.
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
So the Who is the user of your API server that you will be able to Authenticate and Authorize access to the data, and the What is the software making that request in behalf of the user, your genuine app, a tampered one, an automated script or someone manually poking around with your API via cURL, Postman or similar tools.因此,谁是您的 API 服务器的用户,您将能够验证和授权对数据的访问,以及代表用户发出请求的软件是什么,您的正版应用程序,被篡改的应用程序,自动脚本或者有人通过 cURL、Postman 或类似工具手动使用您的 API。
By now I hope that you have enough knowledge to understand why user( who ) authentication is not the same as app( what ) authentication.到目前为止,我希望您有足够的知识来理解为什么 user( who ) 身份验证与 app( what ) 身份验证不同。
LOCK THE API SERVER TO THE APPS将 API 服务器锁定到应用程序
How can I restrict my public API endpoints (login & register currently) that does not require users to be authenticated (since there are the endpoints used to achieve this mission...) to be used only in my trusted client apps (web and mobile)?
I think that by now it may be clear to you that it's not only the login and registration endpoints that need to be protected from What is doing the request.我认为,到目前为止,您可能已经清楚,不仅登录和注册端点需要保护免受请求的影响。
How can I prevent another app developed by another person to use these endpoints?
This is extremely hard to achieve for web apps, but possible with an high degree of confidence for mobile apps when the Mobile App Attestation concept is implemented.这对于 web 应用程序来说是非常难以实现的,但在实施移动应用程序证明概念时,对于移动应用程序来说,这是可能的。
For web apps对于 web 应用程序
Due to the nature of how the web was built, all it's necessary to inspect a web app is to hit F12 or inspect the page source, and then search for whatever you need to access the API server from another tool.由于 web 的构建方式的性质,检查 web 应用程序所需要的只是按 F12 或检查页面源,然后搜索从另一个工具服务器访问 ZDB974238714CA8DE634A7CE1D08 所需的任何内容。
You can learn some useful techniques to help your API server to try to respond only to requests coming from What you expect, your genuine web app, and to do so I invite you to read my answer to the question Secure api data from calls out of the app , specially the section dedicated to Defending the API Server .您可以学习一些有用的技术来帮助您的 API 服务器尝试仅响应来自您期望的请求,您的正版 web 应用程序,为此我邀请您阅读我对来自呼叫的安全 Z8A5DA52ED126447D359E70C0A8A 数据的问题的回答该应用程序,特别是专门用于保护 API 服务器的部分。
For mobile apps对于移动应用
To learn how you can lock your API server to your mobile app I recommend you to read my answer to the question How to secure an API REST for mobile app?要了解如何将 API 服务器锁定到您的移动应用程序,我建议您阅读我对如何保护移动应用程序的 API REST 问题的回答? for the sections on Securing the API Server and A Possible Better Solution .有关保护 API 服务器和可能更好的解决方案的部分。
Endpoints to Secure要保护的端点
So all the endpoints that require users to be authenticated are protected (unless there are others security best practices that I'm not aware of?).
It's up to you if you only want to enhance the security of your login and register endpoints, but my advice is that you enhance the security of all them regarding the detection for What is accessing them.如果您只想增强登录和注册端点的安全性,这取决于您,但我的建议是您增强所有这些端点的安全性,以检测访问它们的内容。
POSTMAN WITH HEROKU AND OTHERS POSTMAN 与 HEROKU 等
I see a lot of popular services with login API routes (Heroku for example) that can't be accessed in Postman with the same parameters (403 error code).
I never used Heroku, but when I am using an API that doesn't work in Postman, but works in other clients, let's say from cURL, then I disable Postman from sending it's own user-agent and normally the API will start accepting the requests. I never used Heroku, but when I am using an API that doesn't work in Postman, but works in other clients, let's say from cURL, then I disable Postman from sending it's own user-agent and normally the API will start accepting the要求。
If doesn't then they may be doing device fingerprinting :如果没有,那么他们可能正在做设备指纹识别:
A device fingerprint or machine fingerprint is information collected about the software and hardware of a remote computing device for the purpose of identification.
The fingerprinting can be done in active or passive mode.指纹可以在主动或被动模式下完成。 In active mode some Javascript runs on the client to collect some data to send back to the API server, while in passive mode it uses the information available from the request in the server, like the http headers and request parameters.在主动模式下,一些 Javascript 在客户端上运行以收集一些数据以发送回 API 服务器,而在被动模式下,它使用服务器中请求的可用信息,例如 Z80791B3AE7002CB88C246876D9FAA8F 标头和请求参数。
While this raises the bar to fake What is doing the request, it can be bypassed by observing how a trusted client sends the request and mimic it.虽然这提高了伪造请求的标准,但可以通过观察受信任的客户端如何发送请求并模仿它来绕过它。 For an attacker it's just a little more work to enumerate all variants and then automate them.对于攻击者来说,枚举所有变体然后自动化它们只是多一点工作。
DO YOU WANT TO GO THE EXTRA MILE?您想要额外的里程吗?
I really read a massive amount of topics and blog posts talking about securing REST API.
First and foremost my congratulations for putting such effort in educating yourself about securing your API.首先,我祝贺您付出了如此多的努力来教育自己保护您的 API。
I don't know if you already read some of the OWASP resources I am about to link, but in any response to a security question I always like to reference the excellent work from the OWASP foundation;)我不知道您是否已经阅读了我将要链接的一些 OWASP 资源,但是在任何对安全问题的回答中,我总是喜欢参考 OWASP 基金会的出色工作;)
For Web Apps对于 Web 应用程序
OWASP Web Top 10 Risks OWASP Web 十大风险
The OWASP Top 10 is a powerful awareness document for web application security.
The Web Security Testing Guide : Web 安全测试指南:
The OWASP Web Security Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.
For Mobile Apps对于移动应用
OWASP Mobile Security Project - Top 10 risks OWASP 移动安全项目 - 十大风险
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.
OWASP - Mobile Security Testing Guide : OWASP - 移动安全测试指南:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
For APIS对于 APIS
OWASP API Security Top 10 OWASP API 安全前 10 名
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.