File tree Expand file tree Collapse file tree 1 file changed +5
-8
lines changed Expand file tree Collapse file tree 1 file changed +5
-8
lines changed Original file line number Diff line number Diff line change @@ -12,14 +12,11 @@ A3:2019 Improper Data Filtering
1212
1313### Scenario #1
1414
15- The User model implements a ` toJSON() ` method to serialize a user object. While
16- implementing the ` GET /v1/articles/{article_id}/comments/{comment_id} ` endpoint
17- that returns details about a specific comment in an article and basic details
18- about its author, the developer finds the toJSON() method and decides to use it
19- (without thinking about the sensitive details it may expose). The mobile team is
20- using the endpoint in the articles view, rendering only relevant data. An
21- attacker sniffs the mobile app traffic and finds about the sensitive data
22- exposure.
15+ The mobile team uses the ` /api/articles/[ARTICLE-ID]/comments/[COMMENT-ID] `
16+ endpoint in the articles view to render some comments metadata. Sniffing the
17+ mobile app traffic an attacker finds out that other sensitive data is also
18+ returned. The endpoint implementation uses a generic ` toJSON() ` method on the
19+ ` User ` model to serialize the object.
2320
2421### Scenario #2
2522
You can’t perform that action at this time.
0 commit comments