Abstract
The shift in web service design towards the REST paradigm has spawned a series of security concerns. To date there has been no general agreement on how the REST paradigm addresses security and what web security mechanisms adhere to the REST style. This paper analyzes the REST paradigm from a security perspective and shows significant incompatibilities between the style constraints and typical security mechanisms. We conclude that the REST style was not designed with security properties in mind and does not fit the security requirements of modern web applications.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Richardson, L., Ruby, S.: RESTful Web Services. O’Reilly Media, Sebastopol (2007)
Fielding, R.T.: Architectural Styles and the Design of Network-based Software Architectures. Ph.D. thesis, University of California, Irvine (2000)
Pautasso, C., Zimmermann, O., Leymann, F.: RESTful web services vs. big web services: making the right architectural decision. In: 17th International World Wide Web Conference (WWW 2008), Beijing, China, pp. 805–814 (2008)
Gorski, P., Lo Iacono, L., Nguyen, H., Torkian, D.: Service security revisited. In: IEEE International Conference on Services Computing, pp. 464–471. IEEE Computer Society, Washington, DC (2014)
Lo Iacono, L., Nguyen, H.: Authentication scheme for REST. In: International Conference on Future Network Systems and Security, pp. 113–128 (2015)
Serme, G., de Oliveira, A., Massiera, J., Roudier, Y.: Enabling message security for RESTful services. In: IEEE 19th International Conference on Web Services, pp. 114–121. IEEE Computer Society, Washington, DC (2012)
De Backere, F., Hanssens, B., Heynssens, R., Houthooft, R., Zuliani, A., Verstichel, S., Dhoedt, B., De Turck, F.: Design of a security mechanism for RESTful web service communication through mobile clients. In: IEEE Network Operations and Management Symposium, pp. 1–6. IEEE, Krakow (2014)
Inoue, T., Asakura, H., Sato, H., Takahashi, N.: Key roles of session state: not against REST architectural style. In: IEEE 34th Computer Software and Applications Conference, pp. 171–178. IEEE (2010)
Jones, M., Bradley, J., Sakimura, N.: RFC 7519. JSON Web Token (2015)
Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)
Fu, K., Sit, E., Smith, K., Feamster, N.: The dos and don’ts of client authentication on the Web. In: USENIX Security Symposium, pp. 251–268 (2001)
Dacosta, I., Chakradeo, S., Ahamad, M., Traynor, P.: One-time cookies: preventing session hijacking attacks with stateless authentication tokens. ACM Trans. Internet Technol. 12(1), 1:1–1:24 (2012)
Dietz, M., Czeskis, A., Balfanz, D., Wallach, D.S.: Origin-bound certificates: a fresh approach to strong client authentication for the web. In: 21st USENIX Security Symposium, pp. 317–331. USENIX, Bellevue, WA (2012)
Amazon S3: Authenticating requests (AWS Signature v4). https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
Microsoft Azure documentation: Authentication for the Azure Storage Services (2015). https://msdn.microsoft.com/en-us/library/dd179428.aspx
Cavage, M., Sporny, M.: IETF draft. Signing HTTP messages (2015)
Hammer-Lahav, E.: RFC 5849. The OAuth 1.0 protocol (2010)
Chen, E., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: OAuth demystified for mobile application developers. In: ACM SIGSAC Conference on Computer and Communications Security, pp. 892–903. ACM, New York (2014)
Wang, R., Zhou, Y., Chen, S., Qadeer, S., Evans, D., Gurevich, Y.: Explicating SDKs: uncovering assumptions underlying secure authentication and authorization. In: 22nd USENIX Security Symposium, pp. 399–314. Washington, DC (2013)
Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: ACM Conference on Computer and Communications Security, pp. 378–390. ACM, New York (2012)
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C.: OpenID Connect Core 1.0 (2014)
Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through Facebook and Google: a traffic-guided security study of commercially deployed single-sign-on web services. In: IEEE Symposium on Security and Privacy, pp. 365–379. IEEE Computer Society, Washington, DC (2012)
Fielding, R.T., Taylor, R.N.: Principled design of the modern web architecture, pp. 407–416, June 2000
Fetzer, C.: Building critical applications using microservices. IEEE Secur. Priv. 14(6), 86–89 (2016)
Trustworthy Internet Movement: SSL Pulse (2017). https://www.trustworthyinternet.org/ssl-pulse/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Yarygina, T. (2017). RESTful Is Not Secure. In: Batten, L., Kim, D., Zhang, X., Li, G. (eds) Applications and Techniques in Information Security. ATIS 2017. Communications in Computer and Information Science, vol 719. Springer, Singapore. https://doi.org/10.1007/978-981-10-5421-1_12
Download citation
DOI: https://doi.org/10.1007/978-981-10-5421-1_12
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-5420-4
Online ISBN: 978-981-10-5421-1
eBook Packages: Computer ScienceComputer Science (R0)