22 Video Starting From a Security Vulnerability to Explore the Balance Between API Performance and Security

22 Video- Starting from a Security Vulnerability to Explore the Balance between API Performance and Security #

Hello, I’m Wen Ming.

Today’s content will also be presented in the form of a video. As usual, before you start watching the video, I’d like to ask you a few questions:

  • Have you noticed any security vulnerabilities in the APIs you use with OpenResty?
  • How do you balance the relationship between security and performance?

These questions are also the core content that will be addressed in today’s video lesson. I hope you can take some time to think about them and come to the lesson with these questions in mind.

At the same time, I will provide corresponding written explanations to help you summarize and review the content after watching the video. Below is the written introduction for today’s lesson.

Today’s Highlights #

Security is an eternal topic that cannot be ignored, whether you are writing business code or working on low-level architecture.

CVE-2018-9230 is a security vulnerability related to OpenResty, but it is not a security vulnerability of OpenResty itself. Does this sound a bit convoluted? Don’t worry, let’s take a closer look at how attackers construct their requests.

The interfaces ngx.req.get_uri_args, ngx.req.get_post_args, and ngx.req.get_headers in OpenResty by default only return the first 100 parameters. If the developers of the Web Application Firewall (WAF) are unaware of this detail, they can be vulnerable to parameter overflow attacks. Attackers can fill in 100 useless parameters and place the payload in the 101st parameter, bypassing the WAF detection.

So, how should this CVE be addressed?

Clearly, the maintainers of OpenResty need to take into account factors such as backward compatibility, not introducing more security risks, and not impacting performance, and make a balanced choice.

In the end, the maintainers of OpenResty chose to add a new err return value to address this issue. If the input parameters exceed 100, the error message in err will be “truncated”. As a result, the callers of these APIs must handle the error message and determine whether to reject or allow the request.

In fact, ultimately, security is a balancing act. Whether to choose rule-based blacklist approach, identity-based whitelist approach, or a combination of both depends on your actual business scenario.

Course Reference #

Today’s course materials have been uploaded to my GitHub. You can download them for learning.

Link: https://github.com/iresty/geektime-slides

If there is anything unclear, you can ask questions in the comment section, and you can also share your learning experience in the comment section. Looking forward to our discussion and feel free to share this article with your colleagues and friends. Let’s communicate and make progress together.