-2

I am writing a mobile app that uses a read only REST service that sits behind our company firewall. The actual data supplied by the REST service is not private but I am concerned with a hacker using it to get behind the firewall. I have found lots of ideas on how to use JWTs to secure REST. Are these methods typically used to protect the data or protect the network the REST service is running on?

I want to know if the type of authentication used by the service I'm exposing impacts the security of services around it. Clearly it does not, based on the responses.

schroeder
  • 123,438
  • 55
  • 284
  • 319
ponder275
  • 99
  • 4
  • What *these methods* do you mean? – mentallurg Jul 06 '20 at 17:25
  • @mentallurg For example if a hacker steals my jwt and can login to the rest service does that pose a risk to the network the rest service is hosted on or just allow them to read the data. The rest service is read only. – ponder275 Jul 06 '20 at 18:07
  • 1
    This is not really answerable. It just depends on what your REST service does and whether or not it has any vulnerabilities. Normally such services just return data, but if it has a RCE then an attacker may find that and use it to pivot in your network. So in short, a *secure* REST service (which is almost a meaningless term) is perfectly fine. If your service is not secure though then all bets are off. – Conor Mancone Jul 06 '20 at 19:15
  • This is a bit like asking, "I'd like to buy a car to get to the grocery store faster but I'm worried that it may hurt someone". – Conor Mancone Jul 06 '20 at 19:17
  • 1
    This question doesn't really make sense, and the answer you've accepted below doesn't really make sense. Allowing traffic to a service within your firewall is fine. Whatever authentication mechanism you choose, it has nothing to do with an attacker being able to attack *other* services you don't want them to access. That will happen because of a vulnerability in your REST service allows something like SSRF, or a firewall misconfiguration, or because you've exposed some other vulnerability on the REST service's OS, not because you chose the wrong authentication mechanism. – user229044 Jul 07 '20 at 00:31
  • 1
    Put another way, you are no more or less secure because your REST service uses a JWT, or opaque bearer tokens, or HTTP digest authentication, none of these things innately weaken or enhance the security of your REST service or the other services behind your firewall. None of these things make it *more safe* to poke a hole in your firewall for your REST service. – user229044 Jul 07 '20 at 00:36
  • 1
    @user229044 Your comments answered my question. I accepted the others because based on the comments people did not like my question so I thought I wasn't going to get any more answers and they did point me in the right direction, just not as detailed as what you just gave. If you want to put your comments in an answer I will make it the accepted one assuming I can change my accepted answer. Thanks for the information. – ponder275 Jul 07 '20 at 13:43
  • @ponder275 Posted, glad it helped. – user229044 Jul 07 '20 at 19:37

1 Answers1

2

There's a bit of an incorrect assumption at the heart of this question, namely: The type of authentication used by the service you're exposing doesn't really impact the security of services around it.

If you open a port in your firewall so that external traffic can reach your REST service, the type of authentication between clients and that service doesn't really increase or weaken the security of the services around it.

If an attacker is able to reach other services behind your firewall, it's because of something like a vulnerability in the REST service which allows SSRF, or a unpatched vulnerability in the REST service's operating system, or a misconfiguration of your firewall, not because you chose the wrong authentication mechanism for your REST service.

Put another way, you are no more or less secure because your REST service uses a JWT, or opaque bearer tokens, or HTTP digest authentication, none of these things innately weaken or enhance the security of your REST service or the other services behind your firewall. None of these things make it more safe to poke a hole in your firewall for your REST service.

user229044
  • 461
  • 3
  • 8