All posts for: RSA keys

In this article, continuing our series, we dive back into the topic of securing backend services using advanced encryption techniques and signing requests with RSA keys within the context of the Flask framework for Python. We will focus on ensuring not only the confidentiality of data through encryption but also its integrity and authenticity using RSA signatures. I will present how to implement encryption and decryption of data and integration with a signature, in order to protect communication against various cyber threats such as replay attacks. The aim of the article is to introduce other possible mechanisms for securing communication other than certificate pinning, and to add another layer of security besides the encryption offered by HTTPS.

In this article, I will once again delve into the topic of API testing, which is secured through encryption mechanisms and signing requests using RSA keys. You are already familiar with these mechanisms from my previous posts. However, I have decided to revisit this topic to present solutions tailored to the Zed Attack Proxy (ZAP) software, where the behavior looks significantly different. Furthermore, in this article, I will demonstrate how to utilize two different scripts, executed in the correct order, to modify requests on the fly in a manner expected by the server side. With such a solution, API testing becomes much simpler, as we no longer need to focus on the applied security mechanisms. Additionally, dividing the scripts according to their responsibilities greatly facilitates their usage and allows for their reuse without modification.

In this article, I aim to present another mechanism for securing API requests, the implementation of which was a significant element of a real-world project. The discussed mechanism stands out with an additional layer of security through encrypting request content using RSA keys. This serves as an extra protective measure that can effectively complement the standard HTTPS protocol. Furthermore, digital signatures using RSA keys will be introduced as the icing on the cake in the later part of the article, ensuring the integrity verification of the messages we send. All communication will also be further secured against potential replay attacks.

In the previous articles, I described how one can utilize ZAP and Burp software for testing the security of web applications that implement request signature validation using RSA keys. Based on the interest in these articles, I have come to the conclusion that it is worthwhile to also present an example of implementation from the other side, namely how it can be implemented on the server side. In this article, I will demonstrate how one can implement their own request signature validation using RSA keys in a simple way, using the Python language and the Flask framework.

My authored post, featured on the ZAP blog, delves into a new script within the community-scripts repository that facilitates the signing of outgoing requests using RSA keys. This addresses the unique challenge of testing applications that demand this specific functionality.

One of the OWASP organization members asked me if I would like to present a method for testing an API secured with RSA keys using ZAP. At first, I wasn’t sure if I could handle it because in my daily work I use to Burp, but as is often the case in our penetration testing profession, you have to keep evolving and exploring new possibilities. That’s why I agreed, and in this article, I describe how you can test an API secured with a request-signing mechanism using RSA keys, this time utilizing Zed Attack Proxy (ZAP) Scripting.

In this article, I would like to describe the API request security mechanism that I encountered in one of my projects. This mechanism uses RSA keys to verify the integrity of requests and also incorporates an additional security feature against replay attacks.