Skip to content

Change "how to prevent" tips #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 9 commits into from
Closed

Change "how to prevent" tips #25

wants to merge 9 commits into from

Conversation

inonshk
Copy link
Collaborator

@inonshk inonshk commented Sep 30, 2019

No description provided.

@inonshk
Merge pull request #3 from OWASP/master
6f5a987 
update
@inonshk
Update 0xa3-excessive-data-exposure.md
db4ff57 
We can't ask developers to define and enforce all data returned by all API methods.
It's like asking "Implement input validation on every single input on the system" - for many companies it won't be a feasible solution.

As security engineers who provide recommendations for the broad community, we should always keep in mind the trade off between security and the available resources of the company that uses OWASP to improve the security posture.We should always assume that companies have limited resources.

With this mindset, OWASP has been provided recommendations for many years.
Recommendations like "Explicitly define and enforce data returned by all API methods including errors: give all JSON objects schemas, all string objects patterns, use clear field names." don't align with this mindset.

The second part of the last recommendation already appears in the second recommendation.
@inonshk
Update 0xa5-broken-function-level-authorization.md
49ad57a 
Authorization mechanisms (not exploitation of mass assignment) that rely on "is_admin = true" are extremely not common in APIs. You could find them many years ago, and maybe today in WebGoats and CTF machines.
@inonshk
Update 0xa8-injection.md
7482867 
"* To prevent data leaks, define and enforce schemas for all API responses" sounds like a marketing message. Let's keep the list professional without any agenda.
@inonshk
Update 0xa7-security-misconfiguration.md
9b2d99d 
The right way to avoid detailed errors is to use built-in features in the framework to override detailed errors.
API schemas are another layer of protection. Not a solution for the problem.
@inonshk
Update 0xa4-lack-of-resources-and-rate-limiting.md
038610c 
"* For sensitive operations such as login or password reset, consider rate limits
  by API method (e.g., authentication), client (e.g., IP address), property
  (e.g., username)." is related to A2, not A4.

"* If your API accepts compressed files check compression ratios before expanding
  the files to protect yourself against "zip bombs"." - very niche example, I don't think it has a place in the list.
@inonshk
Update 0xa3-excessive-data-exposure.md
20b011e
PauloASilva
PauloASilva reviewed Dec 16, 2019
View reviewed changes
Copy link
Collaborator

@PauloASilva PauloASilva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please review my comments on suggested changes?

@PauloASilva
Copy link
Collaborator

This PR was merged into develop (commit#27fac6c) and it will be part of the next release.

PauloASilva pushed a commit that referenced this pull request Jan 22, 2021
@Malajab
Merge pull request #25 from 0xMohammed/patch-22
65eddda 
Update 0xd0-about-data.md
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PauloASilva PauloASilva PauloASilva left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@inonshk @PauloASilva