Defensive API programming techniques for Gophers

© 2023 Verosint. All rights reserved.
Defensive API development
techniques for Gophers
Bertold Kolics
1
LASCON ‘2023, September 27, 2023, Austin, TX USA

My Context
● Question Asker, Bulldog Engineer
● Not a
○ Gatekeeper
○ PEN tester, or even a security tester
● Managing risk
● Verosint - small startup < 20 employees
○ SaaS business
○ Detect & prevent online account fraud
● Past roles
○ IT, pre-sales, QA, developer, manager
2

Motivation
● API as a business for many vendors just like Verosint
○ APIs are accessed directly and indirectly
● Rarely any SaaS application is built in isolation
○ i.e. consumers of 3rd party applications exposed via APIs
● Para-functional requirements are implied to deliver customer value:
○ security
○ reliability/availability
○ scalability/performance
● Malicious actors may cost business $$$
○ outgages
○ reduced availability
● Defensive posture at the application layer needed for a multi-pronged approach
3

Agenda
● Focus on Go language for building, maintaining and securing HTTP-based APIs
○ code samples, libraries, practices
● Out of scope
○ infrastructure
○ hardware or hosted solutions
○ HTTP/3
○ Non-HTTP APIs
○ GraphQL
● Basic familiarity with Go, HTTP assumed
4
bit.ly/lascon2023
credit: Pragmatic Programmers

Deployment View
5

Typical Cloud Deployment
● Often includes
○ Gateways (API, NAT)
○ Load balancers
○ Reverse Proxies
○ External services (e.g. authentication, authorization)
○ Application
● Understand what protection, mitigation techniques are available at each layer
● Overlap is OK
6

API Service Implementation with Go
● Deployment options include:
○ Microservice
○ Serverless
● Implementation will need to address
○ authentication
○ authorization
○ request paths to handle
○ HTTP methods to support (and not support)
○ payload (schema) for requests and responses
○ possibly: resource limits
7

Building HTTP APIs with Go
8

Go - The Good Side*
● No 3rd-party library required
○ unlike other languages
○ reduced attack surface
○ much reduced risk for supply chain attacks
● Core language supports testing
○ unit, fuzzing, performance
9
*Is there a bad side? 🤔

When You Need 3rd-Party Libraries
● Carefully consider options
○ not just functionality or licenses
● Support is key for both open-source and commercial libraries
● Criteria for evaluating OSS projects
○ age of the project, adoption, responsiveness of maintainers,
openness to contributions, commit activity/history, release
history/frequency, documentation, automated test coverage,
availability of code quality metrics, presence of security
tests/scans, number of open issues, rate of closing issues,
number of dependencies
● Run your own scanners
● GitHub/GitLab provides plenty of repository information to
help assessments
10
Image credit
Mohamed Hassan from Pixabay

GitHub Insights for Assessing 3rd-Party Libraries
11

3rd-Party Libraries
● Test openness
○ open a pull request
○ open an issue
● And test the time it takes to get a response & the quality of response
12

Example: go-resty
● Makes interacting with RESTful HTTP
APIs more convenient
● But …
○ maintainer non-responsive for a long time
○ release frequency was poor until last month
● And with a defect present in 2.7.0
○ sync pool data race condition
○ occurred a few times a day on a production system
○ spent a lot of time chasing the issue
○ only fixed in March without a release tag
13

Example: go-resty
14
Library used to incorrectly handle buffers across concurrent requests

Keep Go and Dependencies Up-to-Date
15
● Dependencies - regular updates in all repositories
○ Renovate bot is a life saver
● Use govulncheck to test for vulnerable components
● Go - sign up for release announcements
○ 1.21.3 addresses rapid stream reset vulnerability
● Recent entry from Cloudflare blog
○ HTTP/2 Zero-Day vulnerability results
in record-breaking DDoS attacks

Common Pattern for Go API Implementations
16
● Configure the routes
○ Associate query paths with handler functions using a multiplexer/router
○ Implicitly configure the HTTP methods to handle
● Different router packages available: built-in, chi, gorilla
● Implement the handler function
○ router invokes handler function
○ parallel executions should be expected
● Handler function
○ validates request (request parameters, headers, payload)
○ executes business logic
○ sends response to client

Recovery function
● An unrecoverable issue in the handler might cause unexpected
state in the application
○ for example: nil pointer dereference
○ in a go routine: it may crash the app
● Create a recovery function
○ allows graceful recovery
○ and the recovery function can also log the details about the crash for
diagnosis
17

Example Recovery Handler
18

Basic Checks
● Disable methods not used:
○ TRACE, HEAD, OPTIONS (may be needed for CORS)
○ but possibly other unused ones: GET, PUT, POST, DELETE
● Check request headers
19
Header Questions
Accept can the client accept the content you produce?
Content-Type do you support this content from the client?
Content-Length is it present, is valid, is it too large?
Content-Encoding do you really need to accept chunked encoding?

Rate limiting
● Rate limits could be tied to
○ source IP/port (if no authorization is needed),
○ access token,
○ or a combination of rules
● Go has simple built-in rate limiting
○ better to use a library such as redis-go
○ especially when multiple containers/apps are serving
● Most implementations provide hints to the clients about
rate limits using response headers
○ Ratelimit-Limit, Ratelimit-Remaining, Ratelimit-Reset
20

Fuzzing
● Fuzzing framework built into Go
○ can be run for a limited time
○ can be pre-seeded with corpus (~ test data)
● Best option: fuzz the business logic
● Alternatively:
○ fuzz the handler
○ fuzz the API over network - don’t run it against production(!)
21

Payload Validation Using JSON Schema
● JSON payload in HTTP requests may have malicious content
● JSON schema has powerful ways to validate content
○ libraries such as gojsonschema makes eliminates the need for writing additional code
● Examples of rules:
○ setting minimum / maximum length for strings
○ leveraging built-in types (e.g. IPv4 address, UUID)
○ limiting possible property values with a regular expression
○ setting minimum, maximum size for arrays, mandating unique values
○ disabling additional properties to prevent actors using undefined properties
○ allow only a list of fixed values (enumerations)
○ making properties mandatory
● Relevant specifications: OpenAPI, JSON Schema
22

23
Example from Verosint API docs at
https://docs.verosint.com

24

There is so much more to cover …
That we did not talk about.
● HTTP Server configuration options
○ timeouts (read, header read, idle time out)
○ connection management
○ maximum size of header
○ TLS configuration
● Rate limiting headers
● Authentication/authorization
● Nuances of each HTTP method
○ e.g. GET - URL escaping, leakage of information in logs
● Preventing caching of responses
25

Recap
● Understand the deployment of your application
○ what protections are available at what layer
● Building secure APIs require secure toolchain
○ including Go runtime and 3rd-party dependencies
○ keep them up to date
○ be selective about dependencies - less is more
● Make your APIs resilient
○ protect the application from crashes
○ rate limit clients
● Inspect incoming requests
○ headers, payload length, format
○ reduce manual coding using JSON schema validation
○ emit logs that can trigger automated defensive actions
● Test your APIs, business logic with fuzzing
26

Additional Resources
● OWASP Top 10 API Security Risks
● Open Source Security Foundation
○ scorecard app
● Getting started with Fuzzing
● How to Parse a JSON Request Body in Go
● Make resilient Go net/http servers using timeouts,
deadlines and context cancellation
● Tool selection from ISTQB Certified Tester Advanced Level
Test Manager Syllabus
27
bit.ly/lascon202
3

Thank you
28
See you at
https://bit.ly/bertold
https://www.verosint.com

Defensive API programming techniques for Gophers

More Related Content

Similar to Defensive API programming techniques for Gophers

More from Bertold Kolics

Recently uploaded

Defensive API programming techniques for Gophers