add api signature on Input and check for IODR on Processing #164
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bugoverfl0w
changed the title
|
Not sure I fully understand this. |
Hello, thanks for your reply I mean should properly checking private object id in POST/GET is owned by user that requests current api. When do testing I encounter many cases improperly checking private object id => IODR Reference link: IODR For example: user A with id 1, user B with id 2 If there is endpoint for update user: So the backend should check user_id is owned by current user that requests api (user_A) Thanks, |
@Maikuolan Exactly it is IODR or Broken Access Control I also add: Api Signature for web/api to prevent automatic testing. I think it is really helpful Could you please check it and let me know if any problem Thanks, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I think should add API Signature to prevent manually/automatically testing
And check id (uid, cid, tid... for example) on params/query string is owned by user request