Your team is developing a user experience that invokes a RESTful API developed by the other in-house team using the federated identity. The API requires authentication invoked through GET https://api.WentzWu.com/user/{username}/{password}. Which of the following is correct? (Wentz QOTD)
A. The API is compliant with the RESTful style.
B. The API shall employ HTTP POST to enforce confidentiality.
C. The API shall not use the username and password for authentication.
D. The API has a vulnerability that can be identified only as early as in the testing phase.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. The API shall not use the username and password for authentication.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
The user or resource owner authenticates to the identity provider instead of the resource or API server in a federation system. The identity provider provides tokens to the client so that it can access the API server.
HTTPS enforces confidentiality but the POST method doesn’t. An HTTP request using the POST method is transmitted in cleartext.
The API has a vulnerability that can be identified as early as in the design phase through threat modeling.
RESTful API
A RESTful API typically can be accessed through a base URI, use standard HTTP methods, and return a media type. The HTTP request, GET https://api.WentzWu.com/user/{username}/{password}, looks like a RESTful API request. However, we don’t know how the API returns the result and cannot conclude it is RESTful.
The following is a summary about RESTful API from Wikipedia:
Representational state transfer (REST) is a software architectural style that was created to guide the design and development of the architecture for the World Wide Web.
REST has been employed throughout the software industry and is a widely accepted set of guidelines for creating stateless, reliable web APIs.
Web service APIs that adhere to the REST architectural constraints are called RESTful APIs. HTTP-based RESTful APIs are defined with the following aspects:
– a base URI, such as http://api.example.com/;
– standard HTTP methods (e.g., GET, POST, PUT, and DELETE);
– a media type that defines state transition data elements (e.g., Atom, microformats, application/vnd.collection+json,[13]:91–99 etc.). The current representation tells the client how to compose requests for transitions to all the next available application states. This could be as simple as a URI or as complex as a Java applet.
Reference
您的團隊正在開發一種用戶體驗,該體驗會調用由其他內部團隊使用聯合身份開發的RESTful API。 API 需要通過 GET https://api.WentzWu.com/user/{username}/{password} 來進行身份驗證。以下哪個是正確的? (Wentz QOTD)
A. API 符合 RESTful 風格。
B. API 必須運用 HTTP POST 來強化機密性。
C. API 不可使用以戶名和密碼進行身份驗證。
D. API 存在安全漏洞,只有在測試階段才能發現。
Pingback: RESTful API – Choson資安大小事