Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add api signature on Input and check for IODR on Processing #164

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

bugoverfl0w
Copy link

@bugoverfl0w bugoverfl0w commented Jul 14, 2022

I think should add API Signature to prevent manually/automatically testing

And check id (uid, cid, tid... for example) on params/query string is owned by user request

@bugoverfl0w bugoverfl0w changed the title add api signature on Input add api signature on Input and check for IODR on Processing Jul 14, 2022
@Maikuolan
Copy link
Collaborator

Not sure I fully understand this.

@bugoverfl0w
Copy link
Author

bugoverfl0w commented Jul 22, 2022

Not sure I fully understand this.

Hello, thanks for your reply

I mean should properly checking private object id in POST/GET is owned by user that requests current api. When do testing I encounter many cases improperly checking private object id => IODR

Reference link: IODR

For example: user A with id 1, user B with id 2

If there is endpoint for update user:

/api/user/update
POST: user_id: 1, name: user_A, email: user_A_email

So the backend should check user_id is owned by current user that requests api (user_A)

Thanks,

@bugoverfl0w
Copy link
Author

Refere

@Maikuolan Exactly it is IODR or Broken Access Control

I also add: Api Signature for web/api to prevent automatic testing. I think it is really helpful

Could you please check it and let me know if any problem

Thanks,

Copy link

@demozsaytara666 demozsaytara666 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants