Stupid but common security vulnerability in web app

Franz Wong - Dec 27 '20 - - Dev Community

Alt Text

Image from https://www.irasutoya.com/

I can't remember how many times I see this security vulnerability. When we design REST API, we usually put some IDs in URL. For example, we have a REST API returning user profile.

GET /users/1234
Enter fullscreen mode Exit fullscreen mode

There is nothing wrong with the design. The problem is people forgetting to check the ID in the URL against the ID in the cookie or JWT. It means that even I log in as user 1234, I am able to get the profile of user 7890.

There is another case when we have multiple IDs in URL. Just like a REST API returning transaction details.

GET /users/1234/transactions/123-456-789
Enter fullscreen mode Exit fullscreen mode

It is not enough to check user ID only. I can do something like this.

GET /users/1234/transactions/987-654-321
Enter fullscreen mode Exit fullscreen mode

987-654-321 is the transaction ID not belonging to user 1234. We must check the ownership or access permission of the item.

Things can go further complicated if we allow some users (e.g. staff, admin) to access other users' information. But I don't want to talk about it here.

I heard people arguing that user is not able to access URL containing other user ID through the FRONTEND, so it is safe not to check. But of course, we all know a simple curl command can do it.

CHECK ANYTHING FROM FRONTEND

To be more defensive, we can simply not putting user ID in URL and let the backend to get the ID from the cookie.

GET /users
Enter fullscreen mode Exit fullscreen mode

But for the item ownership case, we can't use this trick.

Of course, if you want to apply load balancing or analysis based on URL, this design is not good for you too.

This vulnerability is really stupid you may think. I think so too. But we can also see this problem from another point of view.

Usually we have multiple layers in our system. It is common to have a web layer handling traffic from internet and a service layer handling the business logic and talking with the database.

Alt Text

Image created with https://excalidraw.com/

So who should check the permission? Web layer? Service layer? There is no standard answer.

Reviewing design is also important because you may start from a single team to multiple teams or system design is changed.

Image
Web3er Special: A Comprehensive Overview and Guide to Utilizing TinTinLand Community Resources
Image
DeFiLlama: Your Comprehensive Guide to DeFi Analytics and Airdrop Strategies
Image
The Timeless Elegance of Shell Jewellery: Adorn Yourself with Nature's Bounty

shell, jewellery
Image
外关键词霸屏工具,海外拉群助手,海外群发助手
Image
Web Developer Guide

webdev, javascript, programming
Image
网络获客群控软件,获客改资料助手,获客拉群机器人
Image
DeFiLlama: Your Comprehensive Guide to DeFi Analytics and Airdrop Strategies
Image
Sending Emails in Node.js Using Nodemailer

node, webdev, javascript, nodemailer
Image
Data types - Day 2
Image
Exploring Transformer Networks: Revolutionizing Deep Learning

webdev, beginners, programming, tutorial
Image
An easy intro to edge computing

webdev, learning, serverless, cloud
Image
Using GitHub Copilot in Your Projects
Image
THE ROLE OF SEMANTIC HTML
Image
FB群发广告,FB私信工具,FB关键词霸屏机器人
Image
跨境电商自动注册软件,跨境商海客营销机器人,跨境拉群工具
Image
The Ultimate Guide to Fried Chicken Restaurants in Lake Charles
Image
Calling All Senior DevOps Trailblazers!

devops, terraform, cloudformation, aws
Image
Keyboards for the win

keyboard, modding, thunk
Image
SEMANTIC HTML

seo, html, webdev, a11y
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terabox Video Player