What is Swagger?
Swagger is the way of defining the structure of APIs (Application Programming Interface). Swagger is specifically developed for REST (Representational State Transfer) APIs, where REST is a Web based API. These APIs can be defined in a file, called Swagger file, which includes certain information like the type of data that needs to be sent in a request, the type of data that needs to be received as the response from the request sent, the server locations, authorization for the request, status codes etc. The Swagger Specification is also known as the Open API Specification (OAS). Using swagger, APIs can be created in either YAML or JSON. The different tools used for swagger are: Swagger Editor, Swagger UI and Swagger Codegen. The latest version of OAS is OpenAPI 3.0.
Below given is the basic structure of swagger in YAML:
openapi: 3.0.0
info:
title: Sample API
description: Optional multiline or single-line description in [CommonMark](http://commonmark.org/help/) or HTML.
version: 0.1.9
servers:
– url: http://api.example.com/v1
description: Optional server description, e.g. Main (production) server
– url: http://staging-api.example.com
description: Optional server description, e.g. Internal staging server for testing
paths:
/users:
get:
summary: Returns a list of users.
description: Optional extended description in CommonMark or HTML.
responses:
‘200’: # status code
description: A JSON array of user names
content:
application/json:
schema:
type: array
items:
type: string
How to provide security to Swagger / OAS?
API Security can be provided using Authentication and Authorization mechanisms. Authentication is the method of validating users by means of Username and Password and Authorization is the method of allowing users to access the data. OpenAPI uses a ‘security scheme’ for providing authentication and authorization.
Different security schemes for providing security in OpenAPI 3.0 are:
- HTTP authentication schemes
- API Keys
- OAuth2
- OpenID Connect Discovery
How to describe security in OpenAPI 3.0?
In OpenAPI, security is described using the keywords securitySchemes and security. The keyword securitySchemes is used to define all the security schemes associated with the API and the keyword security is used to apply the defined schemes to the specific operations or to the entire API.
- Defining securitySchemes
- Applying security
The security schemes should be defined in components/securitySchemes section of the API. This section includes various schemes and its type for defining security schemes.
components:
securitySchemes:
BasicAuth:
type: http
scheme: basic
BearerAuth:
type: http
scheme: bearer
ApiKeyAuth:
type: apiKey
in: header
name: X-API-Key
OpenID:
type: openIdConnect
openIdConnectUrl: https://example.com/.well-known/openid-configuration
OAuth2:
type: oauth2
flows:
authorizationCode:
authorizationUrl: https://example.com/oauth/authorize
tokenUrl: https://example.com/oauth/token
scopes:
read: Grants read access
write: Grants write access
admin: Grants access to admin operationsTo defend against CLDAP attacks, organizations can adopt various preventive measures:
To apply the security schemes that are defined in the securitySchemes section, use the security section on the root level or operation level. When using the root level, the security schemes will be applied to the whole API (all API operations) and the operation level applies the security schemes to individual operations.
Security section on root level:
Configure rate limiting mechanisms to restrict the number of CLDAP requests allowed per second. This helps prevent amplification and reduces the impact of attacks.
Deploy network monitoring tools to detect and analyze abnormal CLDAP traffic patterns. Proactively monitoring network traffic allows for early detection and response to potential attacks.
Regularly update CLDAP servers and related infrastructure with the latest security patches. Stay informed about vulnerabilities and apply recommended fixes promptly.
