28

This is probably a generic security question, but I thought I'd ask in the realm of what I'm developing.

The scenario is: A web service (WCF Web Api) that uses an API Key to validate and tell me who the user is, and a mix of jQuery and application on the front ends.

On the one hand, the traffic can be https so it cannot be inspected, but if I use the same key per user (say a guid), and I am using it in both then there's the chance it could be taken and someone could impersonate the user.

If I implement something akin to OAuth, then a user and a per-app key is generated, and that could work - but still for the jQuery side I would need the app API key in the javascript.

This would only be a problem if someone was on the actual computer and did a view-source.

What should I do?

  1. md5 or encrypt the key somehow?
  2. Put the key in a session variable, then when using ajax retrieve it?
  3. Get over it, it's not that big a deal/problem.

I'm sure it's probably a common problem - so any pointers would be welcome.

To make this clearer - this is my API I have written that I am querying against, not a google, etc. So I can do per session tokens, etc, I'm just trying to work out the best way to secure the client side tokens/keys that I would use.

I'm being a bit overly cautious here, but just using this to learn.

crucible
  • 3,109
  • 2
  • 28
  • 35

5 Answers5

18

(I suggest tagging this post "security".)

First, you should be clear about what you're protecting against. Can you trust the client at all? A crafty user could stick a Greasemonkey script on your page and call exactly the code that your UI calls to send requests. Hiding everything in a Javascript closure only means you need a debugger; it doesn't make an attack impossible. Firebug can trace HTTPS requests. Also consider a compromised client: is there a keylogger installed? Is the entire system secretly running virtualized so that an attacker can inspect any part of memory at any time at their leisure? Security when you're as exposed as a webapp is is really tricky.

Nonetheless, here are a few things for you to consider:

  1. Consider not actually using keys but rather HMAC hashes of, e.g., a token you give immediately upon authentication.

  2. DOM storage can be a bit harder to poke at than cookies.

  3. Have a look at Google's implementation of OAuth 2 for an example security model. Basically you use tokens that are only valid for a limited time (and perhaps for a single IP address). That way even if the token is intercepted or cloned, it's only valid for a short length of time. Of course you need to be careful about what you do when the token runs out; could an attacker just do the same thing your code does and get a new valid token?

Don't neglect server-side security: even if your client should have checked before submitting the request, check again on the server if the user actually has permission to do what they're asking. In fact, this advice may obviate most of the above.

Ken Arnold
  • 1,942
  • 1
  • 20
  • 24
  • Absolutely, there will be restrictions and checks on what each user can do server side, and logging, but I wanted to make sure that the thing that tells the server who that person is, is not open to corruption. – crucible Jun 14 '11 at 01:22
7

It depends on how the API key is used. API keys like that provided by Google are tied to the URL of the site originating the request; if you try and use the key on a site with an alternate URL then the service throws and error thus removing the need to protect the key on the client side.

Some basic API's however are tied to a client and can be used across multiple domains, so in this instance I have previously gone with the practice of wrapping this API in server side code and placing some restrictions on how the client can communicate with the local service and protecting the service.

My overall recommendation however would be to apply restrictions on the Web API around how keys can be used and thus removes the complications and necessity of trying to protect them on the client.

LewisBenge
  • 2,706
  • 16
  • 20
2

Generally in cases like this though you proxy requests through the server using 'AJAX' which verifies the browser making requests is authorized to do so. If you want to call the service directly from JavaScript, then you need some kind of token system like JSON Web Tokens (JWT) and you'll have to work out cross-domain issues if the service is located somewhere other than the current domain.

Harry Wood
  • 2,220
  • 2
  • 24
  • 46
John Sheehan
  • 77,456
  • 30
  • 160
  • 194
2

How about using jQuery to call server side code that handles communication with the API. If you are using MVC you can call a controller action that can contain the code and API key to hit your service and return a partial view (or even JSON) to your UX. If you are using web forms you could create an aspx page that will do the API communication in the code behind and then write content to the response stream for your UX to consume. Then your UX code can just contain some $.post() or $.load() calls to your server side code and both your API key and endpoint would be protected.

Justin Schwartzenberger
  • 2,576
  • 2
  • 17
  • 20
  • 1
    I still need to provide some way of telling that who the person is and confirm that, which would probably still require a token? – crucible Jun 13 '11 at 23:33
  • @justin-schwartzenberger And what about everyone else out there who might be accessing my server side code? Technically, they get access to the protected resources for free, unless I protect my server side to be executed only from the same domain – Preslav Rachev Dec 19 '13 at 17:48
0

see http://blogs.msdn.com/b/rjacobs/archive/2010/06/14/how-to-do-api-key-verification-for-rest-services-in-net-4.aspx for more information (How to do API Key Verification for REST Services in .NET 4)

Thinker
  • 32
  • 2