A security analysis of authentication and authorization implemented in web applications based on the REST architecture


Abstract

The purpose of this article is to prepare a security analysis of authentication and authorization mechanisms in web applications based on the REST architecture. The article analyzes the problems encountered during the implementation of the JSON Web Token (JWT) mechanism. The article presents examples of problems related to the implementation of authorization and authentication, and presents good practices that help ensure application security.


Keywords

REST; JWT; API; security; security vulnerability

Praca zbiorowa, Bezpieczeństwo aplikacji webo-wych, Securitum, Kraków 2019.

J. S. Karsun, Solutions LLC Microservices API Security https://www.ijert.org/research/microservices-api-security-IJERTV7IS010137.pdf

J. H. Saltzer, M. D. Schroeder, The Protection of Information in Computer Systems http://web.mit.edu/Saltzer/www/publications/protection/index.html

OWASP Application Security Verification Stand-ard, https://owasp.org/www-project-application-security-verification-standard/ [28.04.2020]

OWASP Proactive Controls, https://owasp.org/www-project-proactive-controls/ [06.05.2020]

Opis architektury REST, https://restfulapi.net/ [9.04.2020] .

Porównanie popularność architektury REST i protokołu SOAP https://trends.google.com/trends/explore?date=all&q=REST%20API,%2Fm%2F077dn [18.04.2020].

Specyfikcja JWT, https://tools.ietf.org/html/rfc7519 [11.04.2020].

Informacje o JWT, https://jwt.io/introduction/ [11.04.2020]

Opis biblioteki jsonwebtoken, https://www.npmjs.com/package/jsonwebtoken [11.04.2020].

Narzędzie JWT cracker, https://github.com/brendan-rius/c-jwt-cracker [28.04.2020].

Zalecenia dotyczące polityki bezpieczeństwa hasła https://pages.nist.gov/800-63-3/sp800-63b.html#sec5 [06.05.2020].

Opis podatności związanej z brakiem uwierzytelniania https://dzone.com/articles/api-security-weekly-issue-70 [06.05.2020].

Opis najbardziej krytycznych podatności API, https://owasp.org/www-project-api-security/ [11.04.2020]

Download

Published : 2020-09-30


Muszyński, T., & Koziel, G. (2020). A security analysis of authentication and authorization implemented in web applications based on the REST architecture. Journal of Computer Sciences Institute, 16, 252-260. https://doi.org/10.35784/jcsi.1925

Tomasz Muszyński  tomasz.muszynski@pollub.edu.pl
  Poland
Grzegorz Koziel