Securing RESTful APIs using OAuth

What is OAuth

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf

 OAuth Roles

OAuth defines four roles:

• resource owner:

Could be you. An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.

• resource server:

The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.

• client:

An application making protected resource requests on behalf of the resource owner and with its authorization. It could be a mobile app asking your permission to access your Facebook feeds, a REST client trying to access REST API, a web site [Stackoverflow e.g.] providing an alternative login option using Facebook account.

• authorization server:

The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.

OAuth Authorization Grant types

An authorization grant is a credential representing the resource owner’s authorization (to access its protected resources) used by the client to obtain an access token. The specification defines four grant types:

• authorization code
• implicit
• resource owner password credentials
• client crederce owner password credentials grant type. 

1.Resource Server

	package example.security;
	import org.springframework.context.annotation.Configuration;
	import org.springframework.security.config.annotation.web.builders.HttpSecurity;
	import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
	import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
	import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
	import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler;
	@Configuration
	@EnableResourceServer
	public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
	private static final String RESOURCE_ID = "my_rest_api";
	@Override
	public void configure(ResourceServerSecurityConfigurer resources) {
	resources.resourceId(RESOURCE_ID).stateless(false);
	}
	@Override
	public void configure(HttpSecurity http) throws Exception {
	http.
	anonymous().disable()
	.requestMatchers().antMatchers("/user/**")
	.and().authorizeRequests()
	.antMatchers("/user/**").access("hasRole('ADMIN')")
	.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
	}
	}

view raw ResourceServerConfiguration.java hosted with ❤ by GitHub

2.Authorization Server

	package example.security;
	import org.springframework.beans.factory.annotation.Autowired;
	import org.springframework.beans.factory.annotation.Qualifier;
	import org.springframework.context.annotation.Configuration;
	import org.springframework.security.authentication.AuthenticationManager;
	import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
	import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
	import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
	import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
	import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
	import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
	import org.springframework.security.oauth2.provider.token.TokenStore;
	@Configuration
	@EnableAuthorizationServer
	public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
	private static String REALM="MY_OAUTH_REALM";
	@Autowired
	private TokenStore tokenStore;
	@Autowired
	private UserApprovalHandler userApprovalHandler;
	@Autowired
	@Qualifier("authenticationManagerBean")
	private AuthenticationManager authenticationManager;
	@Override
	public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
	clients.inMemory()
	.withClient("my-trusted-client")
	.authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
	.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
	.scopes("read", "write", "trust")
	.secret("secret")
	.accessTokenValiditySeconds(120).//Access token is only valid for 2 minutes.
	refreshTokenValiditySeconds(600);//Refresh token is only valid for 10 minutes.
	}
	@Override
	public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
	endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)
	.authenticationManager(authenticationManager);
	}
	@Override
	public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
	oauthServer.realm(REALM+"/client");
	}
	}

view raw AuthorizationServerConfiguration.java hosted with ❤ by GitHub

3.REST API

	package example.controller;
	import java.util.List;
	import org.springframework.beans.factory.annotation.Autowired;
	import org.springframework.http.HttpHeaders;
	import org.springframework.http.HttpStatus;
	import org.springframework.http.MediaType;
	import org.springframework.http.ResponseEntity;
	import org.springframework.web.bind.annotation.PathVariable;
	import org.springframework.web.bind.annotation.RequestBody;
	import org.springframework.web.bind.annotation.RequestMapping;
	import org.springframework.web.bind.annotation.RequestMethod;
	import org.springframework.web.bind.annotation.RestController;
	import org.springframework.web.util.UriComponentsBuilder;
	import com.websystique.springmvc.model.User;
	import com.websystique.springmvc.service.UserService;
	@RestController
	public class HelloWorldRestController {
	@Autowired
	UserService userService; //Service which will do all data retrieval/manipulation work
	//-------------------Retrieve All Users--------------------------------------------------------
	@RequestMapping(value = "/user/", method = RequestMethod.GET)
	public ResponseEntity<List<User>> listAllUsers() {
	List<User> users = userService.findAllUsers();
	if(users.isEmpty()){
	return new ResponseEntity<List<User>>(HttpStatus.NO_CONTENT);//You many decide to return HttpStatus.NOT_FOUND
	}
	return new ResponseEntity<List<User>>(users, HttpStatus.OK);
	}
	//-------------------Retrieve Single User--------------------------------------------------------
	@RequestMapping(value = "/user/{id}", method = RequestMethod.GET, produces = {MediaType.APPLICATION_JSON_VALUE,MediaType.APPLICATION_XML_VALUE})
	public ResponseEntity<User> getUser(@PathVariable("id") long id) {
	System.out.println("Fetching User with id " + id);
	User user = userService.findById(id);
	if (user == null) {
	System.out.println("User with id " + id + " not found");
	return new ResponseEntity<User>(HttpStatus.NOT_FOUND);
	}
	return new ResponseEntity<User>(user, HttpStatus.OK);
	}
	//-------------------Create a User--------------------------------------------------------
	@RequestMapping(value = "/user/", method = RequestMethod.POST)
	public ResponseEntity<Void> createUser(@RequestBody User user, UriComponentsBuilder ucBuilder) {
	System.out.println("Creating User " + user.getName());
	if (userService.isUserExist(user)) {
	System.out.println("A User with name " + user.getName() + " already exist");
	return new ResponseEntity<Void>(HttpStatus.CONFLICT);
	}
	userService.saveUser(user);
	HttpHeaders headers = new HttpHeaders();
	headers.setLocation(ucBuilder.path("/user/{id}").buildAndExpand(user.getId()).toUri());
	return new ResponseEntity<Void>(headers, HttpStatus.CREATED);
	}
	//------------------- Update a User --------------------------------------------------------
	@RequestMapping(value = "/user/{id}", method = RequestMethod.PUT)
	public ResponseEntity<User> updateUser(@PathVariable("id") long id, @RequestBody User user) {
	System.out.println("Updating User " + id);
	User currentUser = userService.findById(id);
	if (currentUser==null) {
	System.out.println("User with id " + id + " not found");
	return new ResponseEntity<User>(HttpStatus.NOT_FOUND);
	}
	currentUser.setName(user.getName());
	currentUser.setAge(user.getAge());
	currentUser.setSalary(user.getSalary());
	userService.updateUser(currentUser);
	return new ResponseEntity<User>(currentUser, HttpStatus.OK);
	}
	//------------------- Delete a User --------------------------------------------------------
	@RequestMapping(value = "/user/{id}", method = RequestMethod.DELETE)
	public ResponseEntity<User> deleteUser(@PathVariable("id") long id) {
	System.out.println("Fetching & Deleting User with id " + id);
	User user = userService.findById(id);
	if (user == null) {
	System.out.println("Unable to delete. User with id " + id + " not found");
	return new ResponseEntity<User>(HttpStatus.NOT_FOUND);
	}
	userService.deleteUserById(id);
	return new ResponseEntity<User>(HttpStatus.NO_CONTENT);
	}
	//------------------- Delete All Users --------------------------------------------------------
	@RequestMapping(value = "/user/", method = RequestMethod.DELETE)
	public ResponseEntity<User> deleteAllUsers() {
	System.out.println("Deleting All Users");
	userService.deleteAllUsers();
	return new ResponseEntity<User>(HttpStatus.NO_CONTENT);
	}
	}

view raw HelloWorldRestController.java hosted with ❤ by GitHub

Sending Request to /oauth/token with grant_password and resource owners credentials will generate the access token and refresh tokens

http://localhost:8080/Securing_RESTful_API_with_OAuth/oauth/token?grant_type=password&username=User1&password=abc123

Use the token you received to access the resources 

GET http://localhost:8080/Securing_RESTful_API_with_OAuth/user/?access_token=3525d0e4-d881-49e7-9f91-bcfd18259109

CSRF Synchronizer Token

CSRF

CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf. For most sites, browser requests automatically include any credentials associated with the site, such as the user's session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.
CSRF attacks target functionality that causes a state change on the server, such as changing the victim's email address or password, or purchasing something. Forcing the victim to retrieve data doesn't benefit an attacker because the attacker doesn't receive the response, the victim does. As such, CSRF attacks target state-changing requests.

Synchronizer Token as a Protection

Synchronizer tokens are often referred to as “challenge” tokens. These challenge tokens are included within an HTML form and associated with sensitive server-side tasks. When a user wants to execute a sensitive operation the request needs to include the challenge token.
On the server side, the web application verifies that the request includes the token. If it does not, the server rejects the request. Note that this method does require a server side state to be stored and quickly accessible. It is currently considered the best way to prevent CSRF attacks.

Code for the Synchronizer Token Example is found Here

image via : Stormpath.com

image via : Stormpath.com

CSRF Double Submit Cookie

What is CSRF?

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Double Submit Cookie as a protection

If storing the CSRF token in session is problematic, an alternative defense is use of a double submit cookie. A double submit cookie is defined as sending a random value in both a cookie and as a request parameter, with the server verifying if the cookie value and request value match.
When a user authenticates to a site, the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session id. The site does not have to save this value in any way, thus avoiding server side state. The site then requires that every transaction request include this random value as a hidden form value (or other request parameter). A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can force a victim to send any value he wants with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie. Since the cookie value and the request parameter or form value must be the same, the attacker will be unable to successfully force the submission of a request with the random CSRF value.

Vulnerable app and the protection can be downloaded from here. 

Veil 3.0 For Undetectable Payloads

As I mentioned in the previous post, it is very important to have undetectable payloads if you want to attack a target with anti-malware security controls. Veil 3.0 is another  framework which allows us to create undetectable payloads that can be used to attack Windows based targets. Here we are trying to change the signature of known metasploit payloads so we can bypass the signature based detection in anti-virus software. Veil 3.0 is the latest release of the previously known Veil-Evasion framework.

How to install?
First you have to download veil 3.0 from github, You can use git command to clone the veil repository.
git clone https://github.com/Veil-Framework/Veil.git
after the download is finished, move into Veil/setup directory to start the installation
cd Veil/setup
./setup.sh

this will start the installer

this process will take some time and will prompt you to install python and other needed softwares and libraries. Install them if they are not already installed on your system.

Passive Reconnaissance Using Shodan

Shodan is a search engine developed by John Matherly. Even though Shodan is called  as a search engine it is different from content search engines like Google. While Search engines like Google crawl through the internet searching for content Shodan scans the internet for open port and grab banners from those open ports. Shodan allows users to search devices connected to internet and obtain information like open ports, services and the service versions of those

Evading Anti-Virus Detection with Shellter

Anti virus softwares are the last and only defense against malwares in most of the personal computers. So getting through them or evading them is one of the most important thing in penetrating such systems. Payload encoding is one of the method used by attackers to evade detection. You can use metasploit built-in encoders to encode your payloads, but most of the anti virus solutions will detect these payloads. So we need alternatives to evade the detection. Shellter is one of the available solution.

Shellter is able to re-encode windows  32 bit application packages after including the payload or the shell codes so that anti virus softwares will not be able to detect it.

Shellter is not built into Kali Linux, so you have to install it manually. You can either download  Shellter from here or use the command apt-get install shellter

Linux Basics - Networking Commands

If you are interested in computer security domain, it is important you have a good understanding about networking, particularly networking associated with Linux. so lets take a look at a few basic commands that are used in Linux OS.

ifconfig is one of the mostly used commands when it comes to networking in Linux. It provides you with lot of information regarding the available network interfaces. This command is very similar to the ipconfig command in Windows.