Protección de APIs REST
The purpose of this work is to analyze the security context in REST APIs, identify the main vulnerabilitys faced by this type of architecture and list some of the possible solutions to them. This analysis has been carried out through a proof of concept in which a REST API created for this purpose ha...
| Autor: | |
|---|---|
| Tipo de recurso: | tesis de maestría |
| Fecha de publicación: | 2021 |
| País: | España |
| Institución: | Universitat Oberta de Catalunya (UOC) |
| Repositorio: | O2, repositorio institucional de la UOC |
| OAI Identifier: | oai:openaccess.uoc.edu:10609/132467 |
| Acceso en línea: | http://hdl.handle.net/10609/132467 |
| Access Level: | acceso abierto |
| Palabra clave: | API REST OAuth Computer security -- TFM Seguretat informàtica -- TFM Seguridad informática -- TFM |
| Sumario: | The purpose of this work is to analyze the security context in REST APIs, identify the main vulnerabilitys faced by this type of architecture and list some of the possible solutions to them. This analysis has been carried out through a proof of concept in which a REST API created for this purpose has been defined, codified and protected. For its protection, an API Management product, WSO2 API Manager, has been used, positioning itself as an intermediary for the accesses that the API provides. This product allows adding a security layer between the consumer and the producer of the API independent to them, so that it has been installed and configured to protect the API against practical examples of the main attacks of which this type of REST architecture is objective. For the construction of the REST API, technological standards such as OpenAPI 3.0 or Spring Boot have been used, while for the protection of the API, security mechanisms such as HTTPS and JWS have been used. For the authentication and authorization of access to the API, the OAuth standard has been used, applying all these options in a transversal way through the configuration of the API Manager. The conclusions obtained have been satisfactory, since it has been possible to undertake protection actions against the vulnerabilities identified as most important through the proposed solution. |
|---|