199:) that intercepts the call to the API and / or the response back from the API. It converts it into an authorization request (typically in XACML) which it sends to a Policy Decision Point (PDP). The Policy Decision Point is configured with policies that implement dynamic access control that can use any number of user, resource, action, and context attributes to define which access is allowed or denied. Policies can be about:
1233:
114:
38:(AuthZ). In a multitenant environment, security controls based on proper AuthN and AuthZ can help ensure that API access is limited to those who need (and are entitled to) it. Appropriate AuthN schemes enable producers (APIs or services) to properly identify consumers (clients or calling programs), and to evaluate their access level (AuthZ). In other words, may a
125:. "From a security point of view, basic authentication is not very satisfactory. It means sending the user's password over the network in clear text for every single page accessed (unless a secure lower-level protocol, like
177:
service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
169:
needs to access an API on behalf of a user. Instead of revealing user id and password to the application, a user grants a token which encapsulates users permission for the application to invoke the API.
191:
In this approach, there is a Policy
Enforcement Point either within the API itself, in the API framework (as an interceptor or message handler), or as an API gateway (e.g.
492:
482:
1127:
105:
The above methods provide different level of security and ease of integration. Oftentimes, the easiest method of integration also offers weakest security model.
1671:
474:
378:
1648:
529:
149:
inserted into the token. The token has a time to live (TTL) after which the client must acquire a new token. The API method has a time check
1679:
1120:
1705:
1611:
142:
157:. The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing."
1407:
459:
1661:
1003:
444:
121:
In static strings method, the API caller or client embeds a string as a token in the request. This method is often referred as
658:
90:
1474:
1113:
797:
524:
371:
1666:
1587:
1387:
678:
534:
514:
174:
1643:
1601:
1257:
860:
554:
549:
1504:
1222:
1077:
847:
760:
654:
1489:
1367:
1262:
439:
1577:
1529:
1192:
1082:
880:
364:
53:
566:
404:
1618:
1352:
802:
755:
685:
454:
173:
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an
1638:
1550:
1499:
1444:
1312:
1285:
1267:
1232:
1165:
1136:
875:
743:
738:
574:
166:
1422:
1197:
1155:
1087:
870:
708:
497:
146:
1606:
1534:
1439:
985:
807:
673:
487:
61:
1654:
1412:
1347:
1297:
1244:
1202:
1150:
998:
629:
79:
Dynamic tokens: These are time based tokens obtained by caller from an authentication service.
1623:
1563:
1327:
1317:
1212:
1048:
1013:
989:
959:
949:
544:
1514:
1494:
1217:
1207:
1072:
1043:
502:
57:
122:
1684:
1582:
1432:
1382:
1357:
1322:
1302:
1182:
1170:
865:
837:
792:
196:
154:
130:
31:
20:
233:
153:, and if the token is expired, the request is forbidden. "An example of such token is
1699:
1594:
1555:
1524:
1519:
1372:
1362:
1332:
1094:
1055:
1033:
920:
822:
507:
35:
93:: policies use attributes to define how APIs can be invoked using standards such as
1628:
1484:
1187:
993:
649:
519:
94:
50:
76:
Static strings: These are like passwords that are provided by API's to consumers.
30:
Along with the ease of API integrations come the difficulties of ensuring proper
1568:
1402:
1377:
1342:
1177:
890:
827:
699:
645:
395:
129:, is used to encrypt all transactions). Thus the user is very vulnerable to any
1633:
1449:
1397:
1280:
1160:
832:
812:
787:
614:
594:
351:
43:
1509:
1464:
1459:
1307:
1275:
855:
817:
609:
464:
150:
126:
113:
1469:
1427:
1290:
1038:
895:
663:
624:
619:
599:
589:
584:
39:
1479:
1454:
1417:
1105:
1008:
954:
770:
750:
668:
449:
387:
24:
324:
299:
274:
72:
The most common methods for authentication and authorization include:
1392:
1337:
1252:
965:
905:
900:
779:
579:
432:
422:
417:
933:
928:
910:
733:
726:
721:
716:
427:
112:
98:
83:
356:
1060:
539:
412:
192:
1109:
360:
212:
a relationship (e.g. the customer to whom the account belongs).
885:
604:
1231:
165:
This type of token is used in three-legged systems where an
49:"Interface design flaws are widespread, from the world of
42:
invoke a particular method (business logic) based on the
145:
is protected by a dynamic token, there is a time-based
250:
275:"A Guide to Web Authentication Alternatives: Part 2"
1543:
1243:
1143:
1026:
978:
942:
919:
846:
778:
769:
707:
698:
638:
565:
473:
403:
394:
82:User-delegated tokens: These are tokens such as
86:which are granted based on user authentication.
298:John, Bradley; Nat, Sakimura; Michael, Jones.
1121:
372:
8:
1128:
1114:
1106:
775:
704:
400:
379:
365:
357:
68:Method of authentication and authorization
1672:Security information and event management
216:Policies are expressed in ALFA or XACML.
325:"The OAuth 2.0 Authorization Framework"
225:
64:and the operating system itself."
1649:Host-based intrusion detection system
23:programs or users who are invoking a
7:
1680:Runtime application self-protection
182:Fine-Grained Authorization for APIs
203:the resource (e.g. a bank account)
117:Basic Authentication Block Diagram
14:
1612:Security-focused operating system
1408:Insecure direct object reference
1662:Information security management
209:the context (e.g. time of day)
187:Attribute-Based Access Control
91:attribute-based access control
1:
1667:Information risk management
1588:Multi-factor authentication
1144:Related security categories
1722:
1644:Intrusion detection system
1602:Computer security software
1258:Advanced persistent threat
352:OWASP API Security Project
206:the user (e.g. a customer)
1229:
1223:Digital rights management
1706:Transport Layer Security
1368:Denial-of-service attack
1263:Arbitrary code execution
1578:Computer access control
1530:Rogue security software
1193:Electromagnetic warfare
1624:Obfuscation (software)
1353:Browser Helper Objects
1237:
300:"JSON Web Token (JWT)"
118:
1619:Data-centric security
1500:Remote access trojans
1235:
116:
1551:Application security
1445:Privilege escalation
1313:Cross-site scripting
1166:Cybersex trafficking
1137:Information security
161:User-delegated token
123:basic authentication
1198:Information warfare
1156:Automotive security
251:"OAuth 2.0 — OAuth"
1607:Antivirus software
1475:Social engineering
1440:Polymorphic engine
1393:Fraudulent dialers
1298:Hardware backdoors
1238:
674:Application server
119:
62:antivirus software
1693:
1692:
1655:Anomaly detection
1560:Secure by default
1413:Keystroke loggers
1348:Drive-by download
1236:vectorial version
1203:Internet security
1151:Computer security
1103:
1102:
1022:
1021:
999:Browser extension
974:
973:
694:
693:
630:Phusion Passenger
60:right through to
1713:
1564:Secure by design
1495:Hardware Trojans
1328:History sniffing
1318:Cross-site leaks
1213:Network security
1130:
1123:
1116:
1107:
1068:Web API security
990:Remote scripting
960:Web SQL Database
776:
705:
401:
381:
374:
367:
358:
339:
338:
336:
335:
320:
314:
313:
311:
310:
295:
289:
288:
286:
285:
271:
265:
264:
262:
261:
247:
241:
240:
238:
230:
58:embedded systems
17:Web API security
1721:
1720:
1716:
1715:
1714:
1712:
1711:
1710:
1696:
1695:
1694:
1689:
1539:
1239:
1227:
1218:Copy protection
1208:Mobile security
1139:
1134:
1104:
1099:
1073:Web application
1018:
970:
938:
915:
842:
765:
690:
634:
561:
540:JavaScript JSGI
520:ASP.NET Handler
503:Jakarta Servlet
469:
390:
385:
348:
343:
342:
333:
331:
322:
321:
317:
308:
306:
297:
296:
292:
283:
281:
273:
272:
268:
259:
257:
249:
248:
244:
236:
232:
231:
227:
222:
189:
184:
163:
139:
131:packet sniffers
111:
70:
56:through sundry
12:
11:
5:
1719:
1717:
1709:
1708:
1698:
1697:
1691:
1690:
1688:
1687:
1685:Site isolation
1682:
1677:
1676:
1675:
1669:
1659:
1658:
1657:
1652:
1641:
1636:
1631:
1626:
1621:
1616:
1615:
1614:
1609:
1599:
1598:
1597:
1592:
1591:
1590:
1583:Authentication
1575:
1574:
1573:
1572:
1571:
1561:
1558:
1547:
1545:
1541:
1540:
1538:
1537:
1532:
1527:
1522:
1517:
1512:
1507:
1502:
1497:
1492:
1487:
1482:
1477:
1472:
1467:
1462:
1457:
1452:
1447:
1442:
1437:
1436:
1435:
1425:
1420:
1415:
1410:
1405:
1400:
1395:
1390:
1385:
1383:Email spoofing
1380:
1375:
1370:
1365:
1360:
1355:
1350:
1345:
1340:
1335:
1330:
1325:
1323:DOM clobbering
1320:
1315:
1310:
1305:
1303:Code injection
1300:
1295:
1294:
1293:
1288:
1283:
1278:
1270:
1265:
1260:
1255:
1249:
1247:
1241:
1240:
1230:
1228:
1226:
1225:
1220:
1215:
1210:
1205:
1200:
1195:
1190:
1185:
1183:Cyberterrorism
1180:
1175:
1174:
1173:
1171:Computer fraud
1168:
1158:
1153:
1147:
1145:
1141:
1140:
1135:
1133:
1132:
1125:
1118:
1110:
1101:
1100:
1098:
1097:
1092:
1091:
1090:
1085:
1080:
1070:
1065:
1064:
1063:
1053:
1052:
1051:
1046:
1036:
1030:
1028:
1024:
1023:
1020:
1019:
1017:
1016:
1011:
1006:
1001:
996:
982:
980:
976:
975:
972:
971:
969:
968:
963:
962:(formerly W3C)
957:
952:
946:
944:
940:
939:
937:
936:
931:
925:
923:
917:
916:
914:
913:
908:
903:
898:
893:
888:
883:
878:
873:
868:
863:
858:
852:
850:
844:
843:
841:
840:
838:XMLHttpRequest
835:
830:
825:
820:
815:
810:
805:
800:
795:
790:
784:
782:
773:
767:
766:
764:
763:
758:
753:
748:
747:
746:
736:
731:
730:
729:
724:
713:
711:
702:
696:
695:
692:
691:
689:
688:
683:
682:
681:
671:
666:
661:
652:
642:
640:
636:
635:
633:
632:
627:
622:
617:
612:
607:
602:
597:
592:
587:
582:
577:
571:
569:
567:Apache modules
563:
562:
560:
559:
558:
557:
547:
542:
537:
532:
527:
522:
517:
512:
511:
510:
500:
495:
490:
485:
479:
477:
471:
470:
468:
467:
462:
457:
452:
447:
442:
437:
436:
435:
430:
425:
420:
409:
407:
398:
392:
391:
388:Web interfaces
386:
384:
383:
376:
369:
361:
355:
354:
347:
346:External links
344:
341:
340:
329:tools.ietf.org
315:
304:tools.ietf.org
290:
266:
242:
224:
223:
221:
218:
214:
213:
210:
207:
204:
188:
185:
183:
180:
162:
159:
155:JSON Web Token
138:
137:Dynamic tokens
135:
110:
109:Static strings
107:
103:
102:
87:
80:
77:
69:
66:
32:authentication
21:authenticating
13:
10:
9:
6:
4:
3:
2:
1718:
1707:
1704:
1703:
1701:
1686:
1683:
1681:
1678:
1673:
1670:
1668:
1665:
1664:
1663:
1660:
1656:
1653:
1650:
1647:
1646:
1645:
1642:
1640:
1637:
1635:
1632:
1630:
1627:
1625:
1622:
1620:
1617:
1613:
1610:
1608:
1605:
1604:
1603:
1600:
1596:
1595:Authorization
1593:
1589:
1586:
1585:
1584:
1581:
1580:
1579:
1576:
1570:
1567:
1566:
1565:
1562:
1559:
1557:
1556:Secure coding
1554:
1553:
1552:
1549:
1548:
1546:
1542:
1536:
1533:
1531:
1528:
1526:
1525:SQL injection
1523:
1521:
1518:
1516:
1513:
1511:
1508:
1506:
1505:Vulnerability
1503:
1501:
1498:
1496:
1493:
1491:
1490:Trojan horses
1488:
1486:
1485:Software bugs
1483:
1481:
1478:
1476:
1473:
1471:
1468:
1466:
1463:
1461:
1458:
1456:
1453:
1451:
1448:
1446:
1443:
1441:
1438:
1434:
1431:
1430:
1429:
1426:
1424:
1421:
1419:
1416:
1414:
1411:
1409:
1406:
1404:
1401:
1399:
1396:
1394:
1391:
1389:
1386:
1384:
1381:
1379:
1376:
1374:
1373:Eavesdropping
1371:
1369:
1366:
1364:
1363:Data scraping
1361:
1359:
1356:
1354:
1351:
1349:
1346:
1344:
1341:
1339:
1336:
1334:
1333:Cryptojacking
1331:
1329:
1326:
1324:
1321:
1319:
1316:
1314:
1311:
1309:
1306:
1304:
1301:
1299:
1296:
1292:
1289:
1287:
1284:
1282:
1279:
1277:
1274:
1273:
1271:
1269:
1266:
1264:
1261:
1259:
1256:
1254:
1251:
1250:
1248:
1246:
1242:
1234:
1224:
1221:
1219:
1216:
1214:
1211:
1209:
1206:
1204:
1201:
1199:
1196:
1194:
1191:
1189:
1186:
1184:
1181:
1179:
1176:
1172:
1169:
1167:
1164:
1163:
1162:
1159:
1157:
1154:
1152:
1149:
1148:
1146:
1142:
1138:
1131:
1126:
1124:
1119:
1117:
1112:
1111:
1108:
1096:
1095:Web framework
1093:
1089:
1086:
1084:
1081:
1079:
1076:
1075:
1074:
1071:
1069:
1066:
1062:
1059:
1058:
1057:
1056:Web standards
1054:
1050:
1047:
1045:
1042:
1041:
1040:
1037:
1035:
1034:Microservices
1032:
1031:
1029:
1025:
1015:
1012:
1010:
1007:
1005:
1002:
1000:
997:
995:
991:
987:
984:
983:
981:
977:
967:
964:
961:
958:
956:
953:
951:
948:
947:
945:
941:
935:
932:
930:
927:
926:
924:
922:
918:
912:
909:
907:
904:
902:
899:
897:
894:
892:
889:
887:
884:
882:
879:
877:
874:
872:
869:
867:
864:
862:
859:
857:
854:
853:
851:
849:
845:
839:
836:
834:
831:
829:
826:
824:
823:Web messaging
821:
819:
816:
814:
811:
809:
806:
804:
801:
799:
796:
794:
791:
789:
786:
785:
783:
781:
777:
774:
772:
768:
762:
759:
757:
754:
752:
749:
745:
742:
741:
740:
737:
735:
732:
728:
725:
723:
720:
719:
718:
715:
714:
712:
710:
706:
703:
701:
697:
687:
684:
680:
677:
676:
675:
672:
670:
667:
665:
662:
660:
656:
653:
651:
647:
644:
643:
641:
637:
631:
628:
626:
623:
621:
618:
616:
613:
611:
608:
606:
603:
601:
598:
596:
593:
591:
588:
586:
583:
581:
578:
576:
573:
572:
570:
568:
564:
556:
553:
552:
551:
548:
546:
543:
541:
538:
536:
533:
531:
528:
526:
523:
521:
518:
516:
513:
509:
506:
505:
504:
501:
499:
496:
494:
491:
489:
486:
484:
481:
480:
478:
476:
472:
466:
463:
461:
458:
456:
453:
451:
448:
446:
443:
441:
438:
434:
431:
429:
426:
424:
421:
419:
416:
415:
414:
411:
410:
408:
406:
402:
399:
397:
393:
389:
382:
377:
375:
370:
368:
363:
362:
359:
353:
350:
349:
345:
330:
326:
323:Hardt, Dick.
319:
316:
305:
301:
294:
291:
280:
276:
270:
267:
256:
252:
246:
243:
235:
234:"API Attacks"
229:
226:
219:
217:
211:
208:
205:
202:
201:
200:
198:
194:
186:
181:
179:
176:
171:
168:
160:
158:
156:
152:
148:
144:
136:
134:
133:on the net."
132:
128:
124:
115:
108:
106:
100:
96:
92:
89:Policy &
88:
85:
81:
78:
75:
74:
73:
67:
65:
63:
59:
55:
52:
47:
45:
41:
37:
36:authorization
33:
28:
26:
22:
18:
1629:Data masking
1188:Cyberwarfare
1067:
709:Browser APIs
650:Web resource
332:. Retrieved
328:
318:
307:. Retrieved
303:
293:
282:. Retrieved
279:unixpapa.com
278:
269:
258:. Retrieved
254:
245:
228:
215:
190:
172:
164:
140:
120:
104:
71:
48:
34:(AuthN) and
29:
16:
15:
1569:Misuse case
1403:Infostealer
1378:Email fraud
1343:Data breach
1178:Cybergeddon
1088:Progressive
1083:Single-page
891:WebAssembly
871:Geolocation
828:Web storage
734:C NPRuntime
722:LiveConnect
700:Client-side
646:Web service
575:mod_include
530:Python ASGI
525:Python WSGI
475:Server APIs
396:Server-side
195:, Kong, or
167:application
46:presented?
44:credentials
1634:Encryption
1510:Web shells
1450:Ransomware
1398:Hacktivism
1161:Cybercrime
856:DOM events
833:Web worker
818:WebSockets
679:comparison
615:mod_python
595:mod_parrot
428:Encryption
334:2015-10-11
309:2015-10-10
284:2015-10-10
260:2015-10-10
220:References
54:processors
1465:Shellcode
1460:Scareware
1308:Crimeware
1268:Backdoors
1014:Scripting
876:IndexedDB
727:XPConnect
686:Scripting
610:mod_proxy
555:container
545:Perl PSGI
535:Ruby Rack
508:container
465:WebSocket
405:Protocols
255:oauth.net
151:algorithm
1700:Category
1639:Firewall
1544:Defenses
1470:Spamming
1455:Rootkits
1428:Phishing
1388:Exploits
1039:Web page
896:WebAuthn
771:Web APIs
664:Open API
625:mod_ruby
620:mod_wsgi
600:mod_perl
590:mod_mono
585:mod_lisp
515:CLI OWIN
141:When an
40:consumer
19:entails
1480:Spyware
1423:Payload
1418:Malware
1358:Viruses
1338:Botnets
1245:Threats
1049:Dynamic
1009:Web IDL
955:GraphQL
921:Khronos
751:ActiveX
739:C PPAPI
717:C NPAPI
669:Webhook
605:mod_php
550:Portlet
498:COM ASP
493:C ISAPI
488:C ASAPI
483:C NSAPI
197:similar
25:web API
1674:(SIEM)
1651:(HIDS)
1535:Zombie
1272:Bombs
1253:Adware
1044:Static
1027:Topics
1004:Mashup
979:Topics
966:WebUSB
943:Others
906:WebRTC
901:WebGPU
793:Canvas
780:WHATWG
639:Topics
580:mod_jk
433:WebDAV
51:crypto
1520:Worms
1515:Wiper
1433:Voice
1281:Logic
994:DHTML
950:Gears
934:WebGL
929:WebCL
911:WebXR
813:Video
788:Audio
237:(PDF)
147:nonce
99:XACML
84:OAuth
1286:Time
1276:Fork
1078:Rich
1061:REST
992:vs.
988:and
986:Ajax
866:File
798:CORS
761:XBAP
744:NaCl
657:vs.
648:vs.
460:WSRP
450:FCGI
445:SCGI
413:HTTP
193:WSO2
175:HTTP
95:ALFA
1291:Zip
886:SVG
881:MSE
861:EME
848:W3C
808:SSE
803:DOM
756:BHO
659:ROA
655:WOA
455:AJP
440:CGI
143:API
127:SSL
97:or
1702::
423:v3
418:v2
327:.
302:.
277:.
253:.
27:.
1129:e
1122:t
1115:v
380:e
373:t
366:v
337:.
312:.
287:.
263:.
239:.
101:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.