0

Let's say I have an address for an API like this:

mywebsite.com/api/mydata

If accessed, a JSON will appear like this:

[
  {
    "id":"1",
    "name":"John"
  },
  {
    "id":"2",
    "name":"Smith"
  }
]

The result defaults will be displaying the entire data if a post has no parameters. If you use post "ID" and the ID parameter value is one of the existing data in the API, it will only display objects from the data selected based on the ID. The API can be accessed by anyone. API needs to be accessed using token parameters to secure the data.

Let's say I add a token parameter to be able to access data like this:

yourtoken="yourtoken"

if (post_param[token]==yourtoken) {
  // Displaying JSON
}

so if you want to open the API, you need to add a token parameter.

Is simple security like this worth using? what vulnerabilities will arise if I use this? is there a better way than this?

Dita Aji Pratama
  • 115
  • 3
  • A few things to consider are length of the token and its randomness. Also I'd recommend to send the token in an HTTP request header instead in the HTTP POST body. – Jeroen Sep 08 '20 at 10:49
  • See also [What is token-based authentication?](https://stackoverflow.com/questions/1592534/what-is-token-based-authentication), [Why use an authentication token instead of the username/password per request?](https://security.stackexchange.com/questions/63435/why-use-an-authentication-token-instead-of-the-username-password-per-request) – Sjoerd Sep 08 '20 at 11:00
  • Is it safe from *what*? [What is your threat model?](https://security.stackexchange.com/questions/225012/what-is-a-threat-model-and-how-do-i-make-one) – Conor Mancone Sep 08 '20 at 13:58

1 Answers1

1

There are some things to take into consideration:

  1. Using an integer that increments to 1 for every new user is predictable, so IDOR vulnerabilities arise;
  2. Tokens should be of a high randomness and must have a lease time. Consider using JWT for example;
  3. Transfer the data using encryption.

If it is just some kind of experiment, consider hiding your API against nginx balancer with authentication. It is pretty straight-forward to configure basic authentication. In more advanced scenario you may want to use client-side certificates. Check this article for the implementation.

The result defaults will be displaying the entire data if a post has no parameters

Also consider removing functionality for displaying the entire data.

kupihleba
  • 387
  • 1
  • 7