search

shieldfy / API-Security-Checklist

Checklist of the most important security countermeasures when designing, testing, and releasing your API
MIT License
22.21k stars 2.57k forks source link

add api signature on Input and check for IODR on Processing #164

Open bugoverfl0w opened 2 years ago

bugoverfl0w commented 2 years ago

I think should add API Signature to prevent manually/automatically testing

And check id (uid, cid, tid... for example) on params/query string is owned by user request

Maikuolan commented 1 year ago

Not sure I fully understand this.

bugoverfl0w commented 1 year ago

Not sure I fully understand this.

Hello, thanks for your reply

I mean should properly checking private object id in POST/GET is owned by user that requests current api. When do testing I encounter many cases improperly checking private object id => IODR

Reference link: IODR

For example: user A with id 1, user B with id 2

If there is endpoint for update user: 

/api/user/update
POST: user_id: 1, name: user_A, email: user_A_email

So the backend should check user_id is owned by current user that requests api (user_A)

Thanks,

bugoverfl0w commented 1 year ago

Refere

@Maikuolan Exactly it is IODR or Broken Access Control

I also add: Api Signature for web/api to prevent automatic testing. I think it is really helpful

Could you please check it and let me know if any problem

Thanks,