Protección de APIs REST

The purpose of this work is to analyze the security context in REST APIs, identify the main vulnerabilitys faced by this type of architecture and list some of the possible solutions to them. This analysis has been carried out through a proof of concept in which a REST API created for this purpose ha...

ver descrição completa

Detalhes bibliográficos
Autor: Hernando Calleja, Daniel
Tipo de documento: dissertação
Data de publicação:2021
País:España
Recursos:Universitat Oberta de Catalunya (UOC)
Repositório:O2, repositorio institucional de la UOC
OAI Identifier:oai:openaccess.uoc.edu:10609/132467
Acesso em linha:http://hdl.handle.net/10609/132467
Access Level:Acceso aberto
Palavra-chave:API
REST
OAuth
Computer security -- TFM
Seguretat informàtica -- TFM
Seguridad informática -- TFM
Descrição
Resumo:The purpose of this work is to analyze the security context in REST APIs, identify the main vulnerabilitys faced by this type of architecture and list some of the possible solutions to them. This analysis has been carried out through a proof of concept in which a REST API created for this purpose has been defined, codified and protected. For its protection, an API Management product, WSO2 API Manager, has been used, positioning itself as an intermediary for the accesses that the API provides. This product allows adding a security layer between the consumer and the producer of the API independent to them, so that it has been installed and configured to protect the API against practical examples of the main attacks of which this type of REST architecture is objective. For the construction of the REST API, technological standards such as OpenAPI 3.0 or Spring Boot have been used, while for the protection of the API, security mechanisms such as HTTPS and JWS have been used. For the authentication and authorization of access to the API, the OAuth standard has been used, applying all these options in a transversal way through the configuration of the API Manager. The conclusions obtained have been satisfactory, since it has been possible to undertake protection actions against the vulnerabilities identified as most important through the proposed solution.