A security analysis of authentication and authorization implemented in web applications based on the REST architecture

Tomasz Muszyński

tomasz.muszynski@pollub.edu.pl
Politechnika Lubelska (Poland)

Grzegorz Koziel


(Poland)

Abstract

The purpose of this article is to prepare a security analysis of authentication and authorization mechanisms in web applications based on the REST architecture. The article analyzes the problems encountered during the implementation of the JSON Web Token (JWT) mechanism. The article presents examples of problems related to the implementation of authorization and authentication, and presents good practices that help ensure application security.


Keywords:

REST, JWT, API, security, security vulnerability

Praca zbiorowa, Bezpieczeństwo aplikacji webo-wych, Securitum, Kraków 2019.
  Google Scholar

J. S. Karsun, Solutions LLC Microservices API Security https://www.ijert.org/research/microservices-api-security-IJERTV7IS010137.pdf
  Google Scholar

J. H. Saltzer, M. D. Schroeder, The Protection of Information in Computer Systems http://web.mit.edu/Saltzer/www/publications/protection/index.html
  Google Scholar

OWASP Application Security Verification Stand-ard, https://owasp.org/www-project-application-security-verification-standard/ [28.04.2020]
  Google Scholar

OWASP Proactive Controls, https://owasp.org/www-project-proactive-controls/ [06.05.2020]
  Google Scholar

Opis architektury REST, https://restfulapi.net/ [9.04.2020] .
  Google Scholar

Porównanie popularność architektury REST i protokołu SOAP https://trends.google.com/trends/explore?date=all&q=REST%20API,%2Fm%2F077dn [18.04.2020].
  Google Scholar

Specyfikcja JWT, https://tools.ietf.org/html/rfc7519 [11.04.2020].
  Google Scholar

Informacje o JWT, https://jwt.io/introduction/ [11.04.2020]
  Google Scholar

Opis biblioteki jsonwebtoken, https://www.npmjs.com/package/jsonwebtoken [11.04.2020].
  Google Scholar

Narzędzie JWT cracker, https://github.com/brendan-rius/c-jwt-cracker [28.04.2020].
  Google Scholar

Zalecenia dotyczące polityki bezpieczeństwa hasła https://pages.nist.gov/800-63-3/sp800-63b.html#sec5 [06.05.2020].
  Google Scholar

Opis podatności związanej z brakiem uwierzytelniania https://dzone.com/articles/api-security-weekly-issue-70 [06.05.2020].
  Google Scholar

Opis najbardziej krytycznych podatności API, https://owasp.org/www-project-api-security/ [11.04.2020]
  Google Scholar

Download


Published
2020-09-30

Cited by

Muszyński, T., & Koziel, G. (2020). A security analysis of authentication and authorization implemented in web applications based on the REST architecture. Journal of Computer Sciences Institute, 16, 252–260. https://doi.org/10.35784/jcsi.1925

Authors

Tomasz Muszyński 
tomasz.muszynski@pollub.edu.pl
Politechnika Lubelska Poland

Authors

Grzegorz Koziel 

Poland

Statistics

Abstract views: 480
PDF downloads: 443