Skip to content

Latest commit

 

History

History
158 lines (53 loc) · 2.03 KB

Secure Coding - Security Misconfiguration.md

File metadata and controls

158 lines (53 loc) · 2.03 KB

Security Misconfiguration (API8:2023)

Due to incorrect configurations or failure to properly manage configuration settings, it is possible for an attacker to exploit default or incorrect settings.

  • Example

GET request to get system settings:

GET /api/configurations

Non-compliant code (.NET)

using System.Web.Http;
namespace MyAPI.Controllers
{
    public class UserController : ApiController
    {
        // GET api/user/{id}
        public IHttpActionResult GetUser(int id)
        {
            // Fetch user data from the database without proper access control

            var user = Database.GetUser(id);
            return Ok(user);
        }
        // Other methods...
    }
}

Compliant code (.NET)

using System.Web.Http;
using Microsoft.AspNetCore.Authorization;
namespace MyAPI.Controllers
{
    [Authorize] // Apply authorization to the controller
    public class UserController : ApiController
    {
        // GET api/user/{id}
        [Authorize(Roles = "Admin")] // Restrict access to authorized users with the "Admin" role

        public IHttpActionResult GetUser(int id)
        {
            // Fetch user data from the database only if the user has the "Admin" role
            var user = Database.GetUser(id);
            return Ok(user);
        }
        // Other methods...
    }
}

General prevention suggestions:

  • Before sending a request to a given URL, check and validate the URI and destination resource carefully.

  • Limit the ability to receive information from external sources and limit the list of authorized access to remote URLs.

  • Using Whitelist to show only valid addresses and allow access to them.

  • Validate and filter user input and URL-related parameters before using them in the request.

  • Use network restrictions, such as firewalls, to restrict access to external resources.

  • Training the development team to properly evaluate and validate a URI before using it in requests.