API-Security-Checklist icon indicating copy to clipboard operation
API-Security-Checklist copied to clipboard

Published 20 hours ago verified publisher icon shieldfy

add api signature on Input and check for IODR on Processing

Open bugoverfl0w opened this issue 2 years ago • 3 comments

I think should add API Signature to prevent manually/automatically testing

And check id (uid, cid, tid... for example) on params/query string is owned by user request

bugoverfl0w avatar Jul 14 '22 03:07 bugoverfl0w

Not sure I fully understand this.

Maikuolan avatar Jul 21 '22 12:07 Maikuolan

Not sure I fully understand this.

Hello, thanks for your reply

I mean should properly checking private object id in POST/GET is owned by user that requests current api. When do testing I encounter many cases improperly checking private object id => IODR

Reference link: IODR

For example: user A with id 1, user B with id 2

If there is endpoint for update user:

/api/user/update
POST: user_id: 1, name: user_A, email: user_A_email

So the backend should check user_id is owned by current user that requests api (user_A)

Thanks,

bugoverfl0w avatar Jul 22 '22 01:07 bugoverfl0w

Refere

@Maikuolan Exactly it is IODR or Broken Access Control

I also add: Api Signature for web/api to prevent automatic testing. I think it is really helpful

Could you please check it and let me know if any problem

Thanks,

bugoverfl0w avatar Jul 25 '22 02:07 bugoverfl0w