From 24afe45a32ade93a6a00548cda099faf8b1cd9fc Mon Sep 17 00:00:00 2001 From: Mehdi Date: Sat, 16 Dec 2023 10:21:02 +0330 Subject: [PATCH] Create Secure Coding - Security Misconfiguration.md --- Secure Coding - Security Misconfiguration.md | 158 +++++++++++++++++++ 1 file changed, 158 insertions(+) create mode 100644 Secure Coding - Security Misconfiguration.md diff --git a/Secure Coding - Security Misconfiguration.md b/Secure Coding - Security Misconfiguration.md new file mode 100644 index 0000000..e3cbc5c --- /dev/null +++ b/Secure Coding - Security Misconfiguration.md @@ -0,0 +1,158 @@ +# Security Misconfiguration (API8:2023) +Due to incorrect configurations or failure to properly manage configuration settings, it is possible for an attacker to exploit default or incorrect settings. + +* Example + +GET request to get system settings: + +```html +GET /api/configurations +``` + +### Non-compliant code (.NET) +```c# +using System.Web.Http; +namespace MyAPI.Controllers +{ + public class UserController : ApiController + { + // GET api/user/{id} + public IHttpActionResult GetUser(int id) + { + // Fetch user data from the database without proper access control + + var user = Database.GetUser(id); + return Ok(user); + } + // Other methods... + } +} +``` + +### Compliant code (.NET) +```c# +using System.Web.Http; +using Microsoft.AspNetCore.Authorization; +namespace MyAPI.Controllers +{ + [Authorize] // Apply authorization to the controller + public class UserController : ApiController + { + // GET api/user/{id} + [Authorize(Roles = "Admin")] // Restrict access to authorized users with the "Admin" role + + public IHttpActionResult GetUser(int id) + { + // Fetch user data from the database only if the user has the "Admin" role + var user = Database.GetUser(id); + return Ok(user); + } + // Other methods... + } +} +``` + +## General prevention suggestions: + +* Before sending a request to a given URL, check and validate the URI and destination resource carefully. + +* Limit the ability to receive information from external sources and limit the list of authorized access to remote URLs. + +* Using Whitelist to show only valid addresses and allow access to them. + +* Validate and filter user input and URL-related parameters before using them in the request. + +* Use network restrictions, such as firewalls, to restrict access to external resources. + +* Training the development team to properly evaluate and validate a URI before using it in requests. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +