A security analysis of authentication and authorization implemented in web applications based on the REST architecture
Tomasz Muszyński
tomasz.muszynski@pollub.edu.plPolitechnika Lubelska (Poland)
Grzegorz Koziel
(Poland)
Abstract
The purpose of this article is to prepare a security analysis of authentication and authorization mechanisms in web applications based on the REST architecture. The article analyzes the problems encountered during the implementation of the JSON Web Token (JWT) mechanism. The article presents examples of problems related to the implementation of authorization and authentication, and presents good practices that help ensure application security.
Keywords:
REST, JWT, API, security, security vulnerabilityReferences
Praca zbiorowa, Bezpieczeństwo aplikacji webo-wych, Securitum, Kraków 2019.
Google Scholar
J. S. Karsun, Solutions LLC Microservices API Security https://www.ijert.org/research/microservices-api-security-IJERTV7IS010137.pdf
Google Scholar
J. H. Saltzer, M. D. Schroeder, The Protection of Information in Computer Systems http://web.mit.edu/Saltzer/www/publications/protection/index.html
Google Scholar
OWASP Application Security Verification Stand-ard, https://owasp.org/www-project-application-security-verification-standard/ [28.04.2020]
Google Scholar
OWASP Proactive Controls, https://owasp.org/www-project-proactive-controls/ [06.05.2020]
Google Scholar
Opis architektury REST, https://restfulapi.net/ [9.04.2020] .
Google Scholar
Porównanie popularność architektury REST i protokołu SOAP https://trends.google.com/trends/explore?date=all&q=REST%20API,%2Fm%2F077dn [18.04.2020].
Google Scholar
Specyfikcja JWT, https://tools.ietf.org/html/rfc7519 [11.04.2020].
Google Scholar
Informacje o JWT, https://jwt.io/introduction/ [11.04.2020]
Google Scholar
Opis biblioteki jsonwebtoken, https://www.npmjs.com/package/jsonwebtoken [11.04.2020].
Google Scholar
Narzędzie JWT cracker, https://github.com/brendan-rius/c-jwt-cracker [28.04.2020].
Google Scholar
Zalecenia dotyczące polityki bezpieczeństwa hasła https://pages.nist.gov/800-63-3/sp800-63b.html#sec5 [06.05.2020].
Google Scholar
Opis podatności związanej z brakiem uwierzytelniania https://dzone.com/articles/api-security-weekly-issue-70 [06.05.2020].
Google Scholar
Opis najbardziej krytycznych podatności API, https://owasp.org/www-project-api-security/ [11.04.2020]
Google Scholar
Authors
Grzegorz KozielPoland
Statistics
Abstract views: 480PDF downloads: 443
License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.