Databases
StackOverflow2013
Postsdbo
POSecurity of REST authentication schemes
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POSecurity of REST authentication schemes
    text
    copied!<p>Background:</p> <p>I'm designing the authentication scheme for a REST web service. This doesn't "really" need to be secure (it's more of a personal project) but I want to make it as secure as possible as an exercise/learning experience. I don't want to use SSL since I don't want the hassle and, mostly, the expense of setting it up.</p> <p>These SO questions were especially useful to get me started:</p> <ul> <li><a href="https://stackoverflow.com/questions/319530/restful-authentication">RESTful Authentication</a></li> <li><a href="https://stackoverflow.com/questions/7551/best-practices-for-securing-a-rest-api-web-service">Best Practices for securing a REST API / web service</a></li> <li><a href="https://stackoverflow.com/questions/409338/examples-of-the-best-soap-rest-rpc-web-apis-and-why-do-you-like-them-and-whats">Examples of the best SOAP/REST/RPC web APIs? And why do you like them? And what’s wrong with them?</a></li> </ul> <p>I'm thinking of using a simplified version of <a href="http://docs.amazonwebservices.com/AmazonS3/2006-03-01/index.html?RESTAuthentication.html" rel="noreferrer">Amazon S3's authentication</a> (I like <a href="http://oauth.net/" rel="noreferrer">OAuth</a> but it seems too complicated for my needs). I'm adding a randomly generated <a href="http://en.wikipedia.org/wiki/Cryptographic_nonce" rel="noreferrer">nonce</a>, supplied by the server, to the request, to prevent replay attacks.</p> <p>To get to the question: </p> <p>Both S3 and OAuth rely on signing the request URL along with a few selected headers. <strong>Neither of them sign the request body</strong> for POST or PUT requests. Isn't this vulnerable to a man-in-the-middle attack, which keeps the url and headers and replaces the request body with any data the attacker wants?</p> <p>It seems like I can guard against this by including a hash of the request body in the string that gets signed. Is this secure?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload