Skip to content

[pull] master from OWASP:master #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 17 commits into from
Apr 28, 2022
Merged

[pull] master from OWASP:master #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
9cae4a2
Merge tag 'v1.6.0' into develop
PauloASilva Dec 28, 2021
2234252
Fix typo in example API call
malexmave Jan 31, 2022
ee9ab1c
2019 - 0xa6-mass-assignment remove spurious period
kingthorin Feb 11, 2022
13a0d1a
Also adjust other languages
kingthorin Feb 14, 2022
0e121b5
fix: '100' unchanged occurrence in the AR translation
PauloASilva Apr 27, 2022
61627b2
chore: update distributable formats
PauloASilva Apr 27, 2022
d21dbc5
Merge branch 'develop' into PR-50
PauloASilva Apr 27, 2022
1257113
chore: update distributable formats
PauloASilva Apr 27, 2022
ae486e7
Bump version to 1.6.1
PauloASilva Apr 27, 2022
0eee938
Merge branch 'release/1.6.1'
PauloASilva Apr 27, 2022
c15dea7
Merge tag 'v1.6.1' into develop
PauloASilva Apr 27, 2022
c1f6d99
fix: missing space in RU translation (closes #49)
PauloASilva Apr 27, 2022
f165bf0
Bump version to 1.6.2
PauloASilva Apr 27, 2022
8ff6e23
Merge branch 'hotfix/1.6.2'
PauloASilva Apr 27, 2022
cd4c547
Merge tag 'v1.6.2' into develop
PauloASilva Apr 27, 2022
85e7db5
Bump version to 1.6.3
PauloASilva Apr 27, 2022
2ff0254
Merge branch 'release/1.6.3'
PauloASilva Apr 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified 2019/ar/dist/owasp-api-security-top-10-ar.odt
View file
Open in desktop
Binary file not shown.
Binary file modified 2019/ar/dist/owasp-api-security-top-10-ar.pdf
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion 2019/ar/src/0xa4-lack-of-resources-and-rate-limiting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@

## السيناريو الثاني :

يقوم التطبيق بعرض المستخدمين بحد اقصى 100 مستخدم في كل صفحة من خلال ارسال طلب الى `/api/users?page=1&size=100`، مما قد يمكن المهاجم من تغير القيمة الى 200000 في عدد أسماء المستخدمين المعروضة في صفحة واحد مما يسبب في حدوث مشكلات في أداة قاعدة البيانات وفي الوقت نفسة تصبح واجهة برمجة التطبيقات غير متاحة وغير قادرة على التعامل مع الطلبات الأخرى ( هجمة حجب الخدمة DOS ) ويمكن استخدام نفس السيناريو لاستعراض الأخطاء او لاستغلال بعض عمليات Integer Overflow او Buffer Overflow.
يقوم التطبيق بعرض المستخدمين بحد اقصى 200 مستخدم في كل صفحة من خلال ارسال طلب الى `/api/users?page=1&size=200`، مما قد يمكن المهاجم من تغير القيمة الى 200000 في عدد أسماء المستخدمين المعروضة في صفحة واحد مما يسبب في حدوث مشكلات في أداة قاعدة البيانات وفي الوقت نفسة تصبح واجهة برمجة التطبيقات غير متاحة وغير قادرة على التعامل مع الطلبات الأخرى ( هجمة حجب الخدمة DOS ) ويمكن استخدام نفس السيناريو لاستعراض الأخطاء او لاستغلال بعض عمليات Integer Overflow او Buffer Overflow.

### كيف أمنع هذه الثغرة؟

Expand Down
2 changes: 1 addition & 1 deletion 2019/ar/src/0xa6-mass-assignment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
يتضمن الطلب GET للمسار التالي `/api/v1/users/me` مع خاصية معرفة الرصيد الائتمانية:

```json
{"user_name":"inons","age":24,"credit_balance":10}.
{"user_name":"inons","age":24,"credit_balance":10}
```

حيث قام المهاجم باعتراض الطلب وتغيره إلى التالي:
Expand Down
Binary file modified 2019/en/dist/owasp-api-security-top-10.odt
View file
Open in desktop
Binary file not shown.
Binary file modified 2019/en/dist/owasp-api-security-top-10.pdf
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion 2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ during the creation of thumbnails and the API becomes unresponsive.

We have an application that contains the users' list on a UI with a limit of
`200` users per page. The users' list is retrieved from the server using the
following query: `/api/users?page=1&size=100`. An attacker changes the `size`
following query: `/api/users?page=1&size=200`. An attacker changes the `size`
parameter to `200 000`, causing performance issues on the database. Meanwhile,
the API becomes unresponsive and is unable to handle further requests from this
or any other clients (aka DoS).
Expand Down
2 changes: 1 addition & 1 deletion 2019/en/src/0xa6-mass-assignment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ The request `GET /api/v1/users/me` includes an additional credit_balance
property:

```json
{"user_name":"inons","age":24,"credit_balance":10}.
{"user_name":"inons","age":24,"credit_balance":10}
```

The attacker replays the first request with the following payload:
Expand Down
Binary file modified 2019/fr/dist/owasp-api-security-top-10.odt
View file
Open in desktop
Binary file not shown.
Binary file modified 2019/fr/dist/owasp-api-security-top-10.pdf
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion 2019/fr/src/0xa4-lack-of-resources-and-rate-limiting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ Lorsque le téléversement est terminé, l'API crée plusieurs vignettes avec di

### Scénario #2

Nous avons une application qui contient la liste des utilisateurs avec une limite de `200` utilisateurs par page. La liste des utilisateurs est obtenue auprès du serveur avec la requête suivante : `/api/users?page=1&size=100`. Un attaquant change la valeur de `size`
Nous avons une application qui contient la liste des utilisateurs avec une limite de `200` utilisateurs par page. La liste des utilisateurs est obtenue auprès du serveur avec la requête suivante : `/api/users?page=1&size=200`. Un attaquant change la valeur de `size`
en `200 000`, entrainant des problèmes de perfomance sur la base de données. De ce fait, l'API ne répond plus et n'est plus capable de traiter d'autres requêtes de ce client ou d'autres clients (autrement dit déni de service).

Le même scénario peut être utilisé pour générer des erreurs Integer Overflow ou Buffer Overflow.
Expand Down
2 changes: 1 addition & 1 deletion 2019/fr/src/0xa6-mass-assignment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ La requête `GET /api/v1/users/me` comporte un attribut supplémentaire sur le
solde du compte :

```json
{"user_name":"inons","age":24,"credit_balance":10}.
{"user_name":"inons","age":24,"credit_balance":10}
```

L'attaquant rejoue la première requête avec la charge utile suivante :
Expand Down
Binary file modified 2019/pt-br/dist/owasp-api-security-top-10-pt-br.odt
View file
Open in desktop
Binary file not shown.
Binary file modified 2019/pt-br/dist/owasp-api-security-top-10-pt-br.pdf
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion 2019/pt-br/src/0xa4-lack-of-resources-and-rate-limiting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ Um atacante faz *uploads* de imagens grandes enviando request POST em `/api/v1/i

### Cenário #2

Uma aplicação contém uma lista de usuários em uma interface com o limite de `200` usuários por página. A lista é solicitada ao servidor utilizando a seguinte *query* `/api/users?page=1&size=100`. Um atacante modifica o parâmetro `size` de `200` para `200000`, provocando problemas de desempenho no banco de dados. Enquanto isso, a API torna-se indisponível e portanto incapaz de responder outras requisições deste e de todos os demais clientes (também conhecido como DoS).
Uma aplicação contém uma lista de usuários em uma interface com o limite de `200` usuários por página. A lista é solicitada ao servidor utilizando a seguinte *query* `/api/users?page=1&size=200`. Um atacante modifica o parâmetro `size` de `200` para `200000`, provocando problemas de desempenho no banco de dados. Enquanto isso, a API torna-se indisponível e portanto incapaz de responder outras requisições deste e de todos os demais clientes (também conhecido como DoS).

Este mesmo cenário pode ser utilizado para provocar erros de *Integer Overflow* ou *Buffer Overflow*.

Expand Down
2 changes: 1 addition & 1 deletion 2019/pt-br/src/0xa6-mass-assignment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ Um aplicativo de compartilhamento de corridas permite ao usuário a opção de e
A requisição `GET /api/v1/users/me` inclui uma propriedade adicional chamada "credit_balance property":

```json
{"user_name":"inons","age":24,"credit_balance":10}.
{"user_name":"inons","age":24,"credit_balance":10}
```
O atacante repete a primeira requisição com o *payload* abaixo:

Expand Down
Binary file modified 2019/pt-pt/dist/owasp-api-security-top-10.odt
View file
Open in desktop
Binary file not shown.
Binary file modified 2019/pt-pt/dist/owasp-api-security-top-10.pdf
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion 2019/pt-pt/src/0xa4-lack-of-resources-and-rate-limiting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ indisponível.

Uma aplicação apresenta uma listagem de utilizadores até ao limite de 200 por
página. A lista dos utilizadores é obtida por meio dum pedido ao _endpoint_
`/api/users?page=1&size=100`. Um atacante altera o valor do parâmetro `size`
`/api/users?page=1&size=200`. Um atacante altera o valor do parâmetro `size`
de `200` para `200000`, causando problemas de performance no servidor de base de
dados. Enquanto se verificam estes problemas de performance a API fica
indisponível e incapaz de satisfazer pedidos de qualquer utilizador (DoS).
Expand Down
2 changes: 1 addition & 1 deletion 2019/pt-pt/src/0xa6-mass-assignment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ O pedido `GET /api/v1/users/me` incluí uma propriedade `credit_balance`
adicional:

```json
{"user_name":"inons","age":24,"credit_balance":10}.
{"user_name":"inons","age":24,"credit_balance":10}
```

O atacante envia novamente o primeiro pedido com o seguinte conteúdo:
Expand Down
Binary file modified 2019/ru/dist/owasp-api-security-top-10.odt
View file
Open in desktop
Binary file not shown.
Binary file modified 2019/ru/dist/owasp-api-security-top-10.pdf
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion 2019/ru/src/0xa4-lack-of-resources-and-rate-limiting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ API4:2019 Отсутствие Ограничений на Количество

### Сценарий #2

Рассмотрим приложение, отображающее список пользователей в пользовательском интерфейсе с ограничением `200` штук на страницу. Для получения списка пользователей приложение отправляет следующий запрос на сервер: `/api/users?page=1&size=100`. Злоумышленник увеличивает `size` до `200 000`, что приводит к проблемам производительности в базе данных. API перестает отвечать на запросы и больше не может обработать запросы текущего или любого другого клиента (отказ в обслуживании).
Рассмотрим приложение, отображающее список пользователей в пользовательском интерфейсе с ограничением `200` штук на страницу. Для получения списка пользователей приложение отправляет следующий запрос на сервер: `/api/users?page=1&size=200`. Злоумышленник увеличивает `size` до `200 000`, что приводит к проблемам производительности в базе данных. API перестает отвечать на запросы и больше не может обработать запросы текущего или любого другого клиента (отказ в обслуживании).

Аналогичный сценарий может быть использован для обнаружения ошибок переполнения буфера или целочисленного переполнения.

Expand Down
4 changes: 2 additions & 2 deletions 2019/ru/src/0xa6-mass-assignment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ API6:2019 - Массовое Переназначение Параметров (

## Как определить, является ли API уязвимым?

Объекты в современных приложениях могут иметь большое количество свойств. Некоторые из них могут быть изменены напрямую клиентом (например, `user.first_name` или`user.address`), в то время как изменение других не должно быть доступно (например, флаг `user.is_vip`).
Объекты в современных приложениях могут иметь большое количество свойств. Некоторые из них могут быть изменены напрямую клиентом (например, `user.first_name` или `user.address`), в то время как изменение других не должно быть доступно (например, флаг `user.is_vip`).

Конечная точка API уязвима, если она автоматически присваивает предоставленные клиентом параметры свойствам внутренних объектов, не учитывая критичность и уровень доступности этих свойств. Это может позволить злоумышленнику изменить свойства объектов, к которым у него не должно быть доступа.

Expand All @@ -32,7 +32,7 @@ API6:2019 - Массовое Переназначение Параметров (
Запрос к `GET /api/v1/users/me` включает в себя дополнительное свойство credit_balance:

```json
{"user_name":"inons","age":24,"credit_balance":10}.
{"user_name":"inons","age":24,"credit_balance":10}
```

Злоумышленник дублирует первый запрос со следующим телом запроса:
Expand Down
2 changes: 1 addition & 1 deletion VERSION
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.6.0
1.6.3