vos9/Web_Hacking
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create Secure Coding - Security Misconfiguration.md

Browse Source
This commit is contained in:
Mehdi 2023-12-16 10:21:02 +03:30 committed by GitHub
parent 6cdc9a18fa
commit 24afe45a32
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 158 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

158
Secure Coding - Security Misconfiguration.md Normal file
View File

@ -0,0 +1,158 @@
# Security Misconfiguration (API8:2023)
Due to incorrect configurations or failure to properly manage configuration settings, it is possible for an attacker to exploit default or incorrect settings.
* Example
GET request to get system settings:
```html
GET /api/configurations
```
### Non-compliant code (.NET)
```c#
using System.Web.Http;
namespace MyAPI.Controllers
{
public class UserController : ApiController
{
// GET api/user/{id}
public IHttpActionResult GetUser(int id)
{
// Fetch user data from the database without proper access control
var user = Database.GetUser(id);
return Ok(user);
}
// Other methods...
}
}
```
### Compliant code (.NET)
```c#
using System.Web.Http;
using Microsoft.AspNetCore.Authorization;
namespace MyAPI.Controllers
{
[Authorize] // Apply authorization to the controller
public class UserController : ApiController
{
// GET api/user/{id}
[Authorize(Roles = "Admin")] // Restrict access to authorized users with the "Admin" role
public IHttpActionResult GetUser(int id)
{
// Fetch user data from the database only if the user has the "Admin" role
var user = Database.GetUser(id);
return Ok(user);
}
// Other methods...
}
}
```
## General prevention suggestions:
* Before sending a request to a given URL, check and validate the URI and destination resource carefully.
* Limit the ability to receive information from external sources and limit the list of authorized access to remote URLs.
* Using Whitelist to show only valid addresses and allow access to them.
* Validate and filter user input and URL-related parameters before using them in the request.
* Use network restrictions, such as firewalls, to restrict access to external resources.
* Training the development team to properly evaluate and validate a URI before using it in requests.