From e57f2896dde01587fd7843162ca23c501d608751 Mon Sep 17 00:00:00 2001
From: hvalkerie19 <61711715+hvalkerie19@users.noreply.github.com>
Date: Wed, 1 Feb 2023 15:15:23 -0700
Subject: [PATCH 1/6] Create 10-rest.livemd
---
modules/10-rest.livemd | 1 +
1 file changed, 1 insertion(+)
create mode 100644 modules/10-rest.livemd
diff --git a/modules/10-rest.livemd b/modules/10-rest.livemd
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/modules/10-rest.livemd
@@ -0,0 +1 @@
+
From 8497591cd2f2e5f7c7efa88b70feb873b67b6c3f Mon Sep 17 00:00:00 2001
From: hvalkerie19 <61711715+hvalkerie19@users.noreply.github.com>
Date: Wed, 1 Feb 2023 15:27:28 -0700
Subject: [PATCH 2/6] Update 10-rest.livemd
---
modules/10-rest.livemd | 89 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 89 insertions(+)
diff --git a/modules/10-rest.livemd b/modules/10-rest.livemd
index 8b13789..f7cb599 100644
--- a/modules/10-rest.livemd
+++ b/modules/10-rest.livemd
@@ -1 +1,90 @@
+# ESCT: Part 4 - GraphQL Security
+## Introduction
+
+> ### đź› MODULE UNDER CONSTRUCTION - Please move to next module
+
+*TODO: Write Introduction*
+
+## Table of Contents
+
+* [Disabling Introspection](#disabling-introspection)
+* [Error Disclosure](#error-disclosure)
+* [Resource Exhaustion](#resource-disclosure)
+ * [Cost Theory](#cost-theory)
+
+## Disabling Introspection
+
+### Description
+
+*TODO: Write Description*
+
+### Prevention
+
+*TODO: Write Prevention*
+
+### Example / Quiz
+
+*TODO: Make Example or Quiz Question*
+
+```elixir
+
+```
+
+## Error Disclosure
+
+### Description
+
+*TODO: Write Description*
+
+### Prevention
+
+*TODO: Write Prevention*
+
+### Example / Quiz
+
+*TODO: Make Example or Quiz Question*
+
+```elixir
+
+```
+
+## Resource Exhaustion
+
+### Description
+
+*TODO: Write Description*
+
+### Prevention
+
+*TODO: Write Prevention*
+
+### Example / Quiz
+
+*TODO: Make Example or Quiz Question*
+
+```elixir
+
+```
+
+
+
+## Cost Theory
+
+### Description
+
+*TODO: Write Description*
+
+### Prevention
+
+*TODO: Write Prevention*
+
+### Example / Quiz
+
+*TODO: Make Example or Quiz Question*
+
+```elixir
+
+```
+
+[**<- Previous Module: Secure SDLC Concepts**](./3-ssdlc.livemd) || [**Next Module: Elixir Security ->**](./5-elixir.livemd)
From a325e2c934b9a686ce2c4304a77bc4e9df8829ba Mon Sep 17 00:00:00 2001
From: hvalkerie19 <61711715+hvalkerie19@users.noreply.github.com>
Date: Wed, 1 Feb 2023 15:53:04 -0700
Subject: [PATCH 3/6] Update 10-rest.livemd
Draft for REST Security Module
---
modules/10-rest.livemd | 87 +++++++++++++-----------------------------
1 file changed, 27 insertions(+), 60 deletions(-)
diff --git a/modules/10-rest.livemd b/modules/10-rest.livemd
index f7cb599..fba99cf 100644
--- a/modules/10-rest.livemd
+++ b/modules/10-rest.livemd
@@ -1,59 +1,36 @@
-# ESCT: Part 4 - GraphQL Security
+# ESCT: Part X - REST Security (DRAFT)
## Introduction
-> ### đź› MODULE UNDER CONSTRUCTION - Please move to next module
+REST stands for REpresentational State Transfer. It is an approach used by applications to govern communications, commonly as an API (Application programming interface).
-*TODO: Write Introduction*
+Characteristics of a RESTful style of application data exchange include the use of the HTTP protocol, and specific methods to interact with data, resources, and functionality.
-## Table of Contents
-
-* [Disabling Introspection](#disabling-introspection)
-* [Error Disclosure](#error-disclosure)
-* [Resource Exhaustion](#resource-disclosure)
- * [Cost Theory](#cost-theory)
-
-## Disabling Introspection
-
-### Description
-
-*TODO: Write Description*
-
-### Prevention
-
-*TODO: Write Prevention*
-
-### Example / Quiz
-
-*TODO: Make Example or Quiz Question*
-
-```elixir
-
-```
-
-## Error Disclosure
-
-### Description
-
-*TODO: Write Description*
-
-### Prevention
+REST a “software architectural style that defines the set of rules to be used for creating web services” and a service is said to follow the REST architectural style, or is considered “RESTful if it adheres to the approach explained here: https://www.geeksforgeeks.org/rest-api-architectural-constraints/?ref=lbp
-*TODO: Write Prevention*
+In applications that implement this style:
+Client - Sends requests based on CRUD functionality; That is Create, Retrieve, Update, and Delete via corresponding HTTP methods: POST, GET, PUT, DELETE
+Protocol - HTTP and HTTP methods
+API Server - Hosts routes/api endpoints to resources; Routes in the form of URI/URLs for data/resource access or other backend services.
+Resources - Objects that are acted upon that get modified by the application functionality
+More information on the https://restfulapi.net/
-### Example / Quiz
+REST 6 Design Principles Characterize/distinguish a REST API from others like GraphQL, however, it shares many of the same security concerns and therefore the same mitigations.
-*TODO: Make Example or Quiz Question*
+## Table of Contents
-```elixir
+* [API Security](#api-security)
+* [Secure Endpoints](#secure-endpoints)
+* [Disable old endpoints](#disable-endpoints)
+* [Restrict HTTP methods](#restrict-http-methods)
+* [Input Validation](#input-validation)
-```
-## Resource Exhaustion
+## API Security
### Description
-*TODO: Write Description*
+REST security involves ensuring authenticated users are able to send requests to the api endpoints, users are only able to send request to perform specific actions based on user permissions/roles, and also securing the endpoints and any data involved against things like enumeration, inadvertent data exposure, and untrusted input.
### Prevention
@@ -66,25 +43,15 @@
```elixir
```
+### References
++ https://owasp.org/www-project-api-security/
++ https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html
++ https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
++ https://www.invicti.com/blog/web-security/rest-api-web-service-security/
++ https://restfulapi.net/security-essentials/
++ https://restfulapi.net/
++ https://stackoverflow.blog/2021/10/06/best-practices-for-authentication-and-authorization-for-rest-apis/
-## Cost Theory
-
-### Description
-
-*TODO: Write Description*
-
-### Prevention
-
-*TODO: Write Prevention*
-
-### Example / Quiz
-
-*TODO: Make Example or Quiz Question*
-
-```elixir
-
-```
-
[**<- Previous Module: Secure SDLC Concepts**](./3-ssdlc.livemd) || [**Next Module: Elixir Security ->**](./5-elixir.livemd)
From 2c275c0bfd59078921bd5b74539498446a359c57 Mon Sep 17 00:00:00 2001
From: hvalkerie19 <61711715+hvalkerie19@users.noreply.github.com>
Date: Fri, 3 Feb 2023 11:11:40 -0700
Subject: [PATCH 4/6] Update 10-rest.livemd
---
modules/10-rest.livemd | 106 ++++++++++++++++++++++++++++++++++++++---
1 file changed, 100 insertions(+), 6 deletions(-)
diff --git a/modules/10-rest.livemd b/modules/10-rest.livemd
index fba99cf..9e91d2f 100644
--- a/modules/10-rest.livemd
+++ b/modules/10-rest.livemd
@@ -17,12 +17,14 @@ More information on the https://restfulapi.net/
REST 6 Design Principles Characterize/distinguish a REST API from others like GraphQL, however, it shares many of the same security concerns and therefore the same mitigations.
+This Module highlights some of the key concerns around apis implemented with the REST style.
+
## Table of Contents
-* [API Security](#api-security)
-* [Secure Endpoints](#secure-endpoints)
-* [Disable old endpoints](#disable-endpoints)
-* [Restrict HTTP methods](#restrict-http-methods)
+* [General API Security](#api-security)
+* [Authentication Authorization and Access Controls](#authentication-authorization-and-access-controls)
+* [Deprecate Old API Endpoints](#deprecate-old-endpoints)
+* [Restrict HTTP Methods](#restrict-http-methods)
* [Input Validation](#input-validation)
@@ -30,11 +32,39 @@ REST 6 Design Principles Characterize/distinguish a REST API from others like Gr
### Description
+REST security overlaps with API Security, those issues that are applicable regardless of the API implementation (GraphQL, etc.) , and generally involves ensuring authenticated users are able to send requests to the api endpoints, users are only able to send request to perform specific actions based on user permissions/roles, and also securing the endpoints and any data involved against things like enumeration, inadvertent data exposure, and untrusted input. Ensuring the protection of data as it is transmitted and limiting the ability to act on resources according to roles, permissions.
+
+APIs are succeptible to a number of attacks like denial of service, inadvertent data exposure and unauthorized access to functions and data. See OWASP API Security Project for a list of API Security Top 10 2019 issues.
+
+### Prevention
+
+Ensure API is clearly/strictly defined with repspect to who/entities both internal and external have access to the api. Document the api and ensure it is up to date as later versions are implemented.
+
+Implemented and validate content types, appropriate security headers, and ensure no sensitive information (like api keys) is sent in the API's HTTP requests, and set up audit logs for critical operations, and ensure there is no data leakage through overly verbose error messages.
+
+Clear define/understand the data that is collected and transmitti by the api, particularly sensitive data. Ensure old APIS are completely deprecated. Beware of old versions that may exist/ be exposed through applications that use cloud services.
+
+Only use HTTPS, configure appropriate security headers, validate content types, and implement some form of authentication.
+
+### Example / Quiz
+
+*TODO: Make Example or Quiz Question*
+
+```elixir
+
+```
+
+## Authentication Authorization and Access Controls
+
+### Description
+
REST security involves ensuring authenticated users are able to send requests to the api endpoints, users are only able to send request to perform specific actions based on user permissions/roles, and also securing the endpoints and any data involved against things like enumeration, inadvertent data exposure, and untrusted input.
+Access Controls, Authorization, Authenticantion are closely linked in their implementation to secure API call requests and to ensure only permitted activity due to REST api's being stateless in nature. Stateless meaning each call acts as an independent, self-contained, requests that is not aware of previous or subsequent requests. As such, each call is usually made with some combination of password, key, or token
+
### Prevention
-*TODO: Write Prevention*
+Ensure API calls are restricted/allowed based on an allow list,
### Example / Quiz
@@ -43,7 +73,71 @@ REST security involves ensuring authenticated users are able to send requests to
```elixir
```
-### References
+
+## Deprecate Old Endpoints
+
+### Description
+
+OWASP API9:2019 Improper Assets Management
+As application gros and changes, API's may be updated. When api's are updated to current versions, the older version of the API may still be exposed/accessible
+
+https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa9-improper-assets-management.md
+
+Running old version that still have access to data, espectially if that data is sensitive can be discovered by malicious actors. This can be easily done if the api url contains version identifiers, like v1/.../ v2/.../, and the url are tampered with to retrieve legacy versions.
+
+### Prevention
+
+Completely deprecate any old version of an API. Inventory all API servers, hosts, endpoints and keep documents upto date. Be aware that older version may still be running in your environment and can be discoverable and abused by malicious actors.
+
+### Example / Quiz
+
+*TODO: Make Example or Quiz Question*
+
+```elixir
+
+```
+## Restrict HTTP Methods
+
+### Description
+Access and other interactions with resources in a Resftully implemented api are done using HTTP methods, with requests/calls sending requests using
+POST, GET, PUSH, DELETE Methods for Creating, Reading, Updating, and Deleting Resources respectively and the service using HTTP Return Codes in response.
+
+### Prevention
+When designing/building an api, documentation should include an allow list of permitted methods (actions) that are allowed to be processed by the api server, and therefore allowed to be performed on the data/resources.
+
+
+### Example / Quiz
+
+*TODO: Make Example or Quiz Question*
+
+```elixir
+
+```
+
+## Input Validation
+
+### Description
+
+API may pass untrusted input via URL parameters and request content making the API vulnerable to
+Injection Flaws (API8:2019) which represent a
+
+Another issue for APIs is incoming may contain a large payload, or particularly if publically exposed, could be the target for a denial of service attack.
+
+(See rate limiting section for more)
+
+### Prevention
+Validating incoming URL and request elements to the API server and establishing a white list and configuring the server to reject all requests that aren't on the approaved whitelist
+
+
+### Example / Quiz
+
+*TODO: Make Example or Quiz Question*
+
+```elixir
+
+```
+
+### Additional References
+ https://owasp.org/www-project-api-security/
+ https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html
+ https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
From d62b072a29d08a542bb049270ffe2fd366e7839d Mon Sep 17 00:00:00 2001
From: hvalkerie19 <61711715+hvalkerie19@users.noreply.github.com>
Date: Fri, 3 Feb 2023 15:09:01 -0700
Subject: [PATCH 5/6] Update 10-rest.livemd
grammar
---
modules/10-rest.livemd | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules/10-rest.livemd b/modules/10-rest.livemd
index 9e91d2f..c6d0cb1 100644
--- a/modules/10-rest.livemd
+++ b/modules/10-rest.livemd
@@ -87,7 +87,7 @@ Running old version that still have access to data, espectially if that data is
### Prevention
-Completely deprecate any old version of an API. Inventory all API servers, hosts, endpoints and keep documents upto date. Be aware that older version may still be running in your environment and can be discoverable and abused by malicious actors.
+Completely deprecate any old version of an API. Inventory all API servers, hosts, endpoints and keep documents up to date. Be aware that older version may still be running in your environment and can be discoverable and abused by malicious actors.
### Example / Quiz
@@ -121,7 +121,7 @@ When designing/building an api, documentation should include an allow list of pe
API may pass untrusted input via URL parameters and request content making the API vulnerable to
Injection Flaws (API8:2019) which represent a
-Another issue for APIs is incoming may contain a large payload, or particularly if publically exposed, could be the target for a denial of service attack.
+Another issue for APIs is incoming may contain a large payload, or particularly if publicly exposed, could be the target for a denial of service attack.
(See rate limiting section for more)
From 4ac6bb25df28c2b8b8a3ebe8d788523f889db992 Mon Sep 17 00:00:00 2001
From: hvalkerie19 <61711715+hvalkerie19@users.noreply.github.com>
Date: Fri, 10 Feb 2023 15:41:51 -0700
Subject: [PATCH 6/6] Update 10-rest.livemd
Section complete and ready for review
---
modules/10-rest.livemd | 97 +++++++++---------------------------------
1 file changed, 19 insertions(+), 78 deletions(-)
diff --git a/modules/10-rest.livemd b/modules/10-rest.livemd
index c6d0cb1..1543311 100644
--- a/modules/10-rest.livemd
+++ b/modules/10-rest.livemd
@@ -6,17 +6,14 @@ REST stands for REpresentational State Transfer. It is an approach used by appl
Characteristics of a RESTful style of application data exchange include the use of the HTTP protocol, and specific methods to interact with data, resources, and functionality.
-REST a “software architectural style that defines the set of rules to be used for creating web services” and a service is said to follow the REST architectural style, or is considered “RESTful if it adheres to the approach explained here: https://www.geeksforgeeks.org/rest-api-architectural-constraints/?ref=lbp
+REST is a “software architectural style that defines the set of rules to be used for creating web services” and a service is said to follow the REST architectural style, or is considered “RESTful if it adheres to the approach explained here: https://www.geeksforgeeks.org/rest-api-architectural-constraints/?ref=lbp
-In applications that implement this style:
-Client - Sends requests based on CRUD functionality; That is Create, Retrieve, Update, and Delete via corresponding HTTP methods: POST, GET, PUT, DELETE
-Protocol - HTTP and HTTP methods
-API Server - Hosts routes/api endpoints to resources; Routes in the form of URI/URLs for data/resource access or other backend services.
-Resources - Objects that are acted upon that get modified by the application functionality
-More information on the https://restfulapi.net/
-
-REST 6 Design Principles Characterize/distinguish a REST API from others like GraphQL, however, it shares many of the same security concerns and therefore the same mitigations.
+In applications that implement this style, the general flow is the following:
+- A client interacts with resources where their actions result in requests based on CRUD functionality; That is Create, Retrieve, Update, and Delete via corresponding HTTP methods: POST, GET, PUT, DELETE
+- The API Server hosts routes or api endpoints to resources; Routes in the form of URI/URLs for data/resource access or other backend services.
+- Resources are objects that are acted upon that get modified by the application functionality
+REST's 6 Design Principles distinguish a REST API from others like GraphQL, however, it shares many of the same security concerns.
This Module highlights some of the key concerns around apis implemented with the REST style.
## Table of Contents
@@ -25,34 +22,22 @@ This Module highlights some of the key concerns around apis implemented with the
* [Authentication Authorization and Access Controls](#authentication-authorization-and-access-controls)
* [Deprecate Old API Endpoints](#deprecate-old-endpoints)
* [Restrict HTTP Methods](#restrict-http-methods)
-* [Input Validation](#input-validation)
-
## API Security
### Description
-REST security overlaps with API Security, those issues that are applicable regardless of the API implementation (GraphQL, etc.) , and generally involves ensuring authenticated users are able to send requests to the api endpoints, users are only able to send request to perform specific actions based on user permissions/roles, and also securing the endpoints and any data involved against things like enumeration, inadvertent data exposure, and untrusted input. Ensuring the protection of data as it is transmitted and limiting the ability to act on resources according to roles, permissions.
+REST security, like API security in general, involves ensuring authenticated users are able to send requests to the api endpoints, that users are only able to send requests to perform specific actions based on user permissions/roles, and securing the endpoints and any data involved against things like enumeration, inadvertent data exposure, and untrusted input.
APIs are succeptible to a number of attacks like denial of service, inadvertent data exposure and unauthorized access to functions and data. See OWASP API Security Project for a list of API Security Top 10 2019 issues.
### Prevention
-Ensure API is clearly/strictly defined with repspect to who/entities both internal and external have access to the api. Document the api and ensure it is up to date as later versions are implemented.
-
-Implemented and validate content types, appropriate security headers, and ensure no sensitive information (like api keys) is sent in the API's HTTP requests, and set up audit logs for critical operations, and ensure there is no data leakage through overly verbose error messages.
-
-Clear define/understand the data that is collected and transmitti by the api, particularly sensitive data. Ensure old APIS are completely deprecated. Beware of old versions that may exist/ be exposed through applications that use cloud services.
-
-Only use HTTPS, configure appropriate security headers, validate content types, and implement some form of authentication.
+APIs should be clearly/strictly defined and documented with updates made as later versions are implemented. APIs should only use HTTPS, and implement some form of authentication.
-### Example / Quiz
+Validate all content types, implement appropriate security headers, and ensure no sensitive information (like api keys) is sent in the API's HTTP requests. Audit logs should be configured for critical operations, and ensure there is no data leakage through overly verbose error messages.
-*TODO: Make Example or Quiz Question*
-
-```elixir
-
-```
+All API developers should understand the sensitivity of the data that is accessible by the API and ensure old APIs are completely deprecated. Old versions of an API that are still accessible may inadvertently expose sensitive data to malicious actors.
## Authentication Authorization and Access Controls
@@ -60,82 +45,38 @@ Only use HTTPS, configure appropriate security headers, validate content types,
REST security involves ensuring authenticated users are able to send requests to the api endpoints, users are only able to send request to perform specific actions based on user permissions/roles, and also securing the endpoints and any data involved against things like enumeration, inadvertent data exposure, and untrusted input.
-Access Controls, Authorization, Authenticantion are closely linked in their implementation to secure API call requests and to ensure only permitted activity due to REST api's being stateless in nature. Stateless meaning each call acts as an independent, self-contained, requests that is not aware of previous or subsequent requests. As such, each call is usually made with some combination of password, key, or token
+Access Controls, Authorization, Authenticantion are closely linked in their implementation to secure API call requests and to ensure only permitted activity due to REST api's being stateless in nature. Stateless meaning each call acts as an independent, self-contained, requests that is not aware of previous or subsequent requests. As such, each call is usually made with some combination of password, key, or token.
### Prevention
-Ensure API calls are restricted/allowed based on an allow list,
-
-### Example / Quiz
-
-*TODO: Make Example or Quiz Question*
-
-```elixir
-
-```
+Ensuring API calls are restricted/allowed based on an allow list, and implementing a web application firewall can help ensure only legitimate access.
## Deprecate Old Endpoints
### Description
-OWASP API9:2019 Improper Assets Management
-As application gros and changes, API's may be updated. When api's are updated to current versions, the older version of the API may still be exposed/accessible
+One of the items on OWASP API top 10 list is Improper Assets Management. This issue involves keeping an inventory around what is publicly accessible, specifically when as applications change, API's get updated and older versions fall out of use.
-https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa9-improper-assets-management.md
+When api's are updated to current versions, the older version of the API, if not properly deprecated, can still be used to access data. This is especially risky if that data is sensitive and can be discovered/enumerated by malicious actors. This can be easily done if the api url contains version identifiers, like v1/.../ v2/.../, and the urls are systematically tampered with to retrieve legacy versions.
-Running old version that still have access to data, espectially if that data is sensitive can be discovered by malicious actors. This can be easily done if the api url contains version identifiers, like v1/.../ v2/.../, and the url are tampered with to retrieve legacy versions.
+### Resource
+https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa9-improper-assets-management.md
### Prevention
Completely deprecate any old version of an API. Inventory all API servers, hosts, endpoints and keep documents up to date. Be aware that older version may still be running in your environment and can be discoverable and abused by malicious actors.
-### Example / Quiz
-
-*TODO: Make Example or Quiz Question*
-
-```elixir
-
-```
## Restrict HTTP Methods
### Description
Access and other interactions with resources in a Resftully implemented api are done using HTTP methods, with requests/calls sending requests using
-POST, GET, PUSH, DELETE Methods for Creating, Reading, Updating, and Deleting Resources respectively and the service using HTTP Return Codes in response.
-
-### Prevention
-When designing/building an api, documentation should include an allow list of permitted methods (actions) that are allowed to be processed by the api server, and therefore allowed to be performed on the data/resources.
-
-
-### Example / Quiz
-
-*TODO: Make Example or Quiz Question*
+POST, GET, PUSH, DELETE Methods for Creating, Reading, Updating, and Deleting Resources respectively and the service using HTTP Return Codes in response.
-```elixir
-
-```
-
-## Input Validation
-
-### Description
-
-API may pass untrusted input via URL parameters and request content making the API vulnerable to
-Injection Flaws (API8:2019) which represent a
-
-Another issue for APIs is incoming may contain a large payload, or particularly if publicly exposed, could be the target for a denial of service attack.
-
-(See rate limiting section for more)
+Depending on the application, not all of these methods may be needed for client to interact with the api.
### Prevention
-Validating incoming URL and request elements to the API server and establishing a white list and configuring the server to reject all requests that aren't on the approaved whitelist
-
-
-### Example / Quiz
-
-*TODO: Make Example or Quiz Question*
-
-```elixir
+When designing/building an api, documentation should include an allow list of permitted methods (actions) that are allowed to be processed by the api server, and therefore allowed to be performed on the data/resources.
-```
### Additional References
+ https://owasp.org/www-project-api-security/