Solved

authenticating a REST call when there is already a session

Posted on 2013-11-13
8
331 Views
Last Modified: 2013-11-14
Hi Experts,

I'm interested in hearing my options when I have a REST API that any authenticated individual can call.  Basically, there's an ID that's reused across multiple REST calls and anyone looking at the URL can do injection attacks on it (if they are authenticated of course).

Any options or best-practices that exist for this?

Many thanks,
Mike
0
Comment
Question by:thready
  • 4
  • 4
8 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39646336
I'm not sure I understand the question.  Anyone who authenticates looks like a legitimate user.  Besides the normal user logouts and session timeouts, what are you looking for?
0
 
LVL 1

Author Comment

by:thready
ID: 39646655
The unique ID used in the REST call is one used during that session, assigned by the server with a previous get from the client.  The rest API can be tampered with if someone sniffs URLs coming from a legitimate user (from another badly behaving legitimate user who's logged in.)  Since anyone can see that unique ID, another user can make a REST call with it with bad data and it would break the behavior of the API...  please let be know if this is still not so clear...
Thanks!
Mike
0
 
LVL 1

Author Comment

by:thready
ID: 39646661
Basically, URLs are not encrypted over HTTPS, so anyone can see that ID.  presumably, all you would need to do to break this REST API would be to use it maliciously...  by logging in and using someone else's ID...  from their own API call...
0
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 39647091
You can not distinguish two users who use legitimate logins.

http://en.wikipedia.org/wiki/Representational_state_transfer

This RFC http://tools.ietf.org/html/rfc2818 says that only the server name is sent in the clear to make a TLS connection and that everything else including the actual URL and headers are sent encrypted.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 1

Author Comment

by:thready
ID: 39647336
Where does the rfc say that only the server name is sent in the clear? I can't find that anywhere...
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39648782
Note "a connection to the server".
2.1. Connection Initiation


   The agent acting as the HTTP client should also act as the TLS
   client.  It should initiate a connection to the server on the
   appropriate port and then send the TLS ClientHello to begin the TLS
   handshake. When the TLS handshake has finished. The client may then
   initiate the first HTTP request.  All HTTP data MUST be sent as TLS
   "application data".  Normal HTTP behavior, including retained
   connections should be followed.
That is also what I see in Fiddler.
0
 
LVL 1

Author Closing Comment

by:thready
ID: 39649093
Kick-ass answer.  Thanks a lot!  awesome.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39649178
You're welcome, thanks for the points.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Introduction A frequently used term in Object-Oriented design is "SOLID" which is a mnemonic acronym that covers five principles of OO design.  These principles do not stand alone; there is interplay among them.  And they are not laws, merely princ…
Online collaboration is quickly becoming embedded in the workplace, and its benefits are tangible. See what the current landscape looks like and what the future holds for collaboration tools and the future of work.
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
This video teaches users how to migrate an existing Wordpress website to a new domain.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now