Create Secure Coding - Security Misconfiguration.md

2023-12-16 10:21:02 +03:30 · 2023-12-16 10:21:02 +03:30 · 24afe45a32
commit 24afe45a32
parent 6cdc9a18fa
1 changed files with 158 additions and 0 deletions
--- a/Misconfiguration.md
+++ b/Misconfiguration.md
@ -0,0 +1,158 @@
+# Security Misconfiguration (API8:2023)
+Due to incorrect configurations or failure to properly manage configuration settings, it is possible for an attacker to exploit default or incorrect settings.
+
+* Example
+
+GET request to get system settings:
+
+```html
+GET /api/configurations
+```
+
+### Non-compliant code (.NET)
+```c#
+using System.Web.Http;
+namespace MyAPI.Controllers
+{
+    public class UserController : ApiController
+    {
+        // GET api/user/{id}
+        public IHttpActionResult GetUser(int id)
+        {
+            // Fetch user data from the database without proper access control
+
+            var user = Database.GetUser(id);
+            return Ok(user);
+        }
+        // Other methods...
+    }
+}
+```
+
+### Compliant code (.NET)
+```c#
+using System.Web.Http;
+using Microsoft.AspNetCore.Authorization;
+namespace MyAPI.Controllers
+{
+    [Authorize] // Apply authorization to the controller
+    public class UserController : ApiController
+    {
+        // GET api/user/{id}
+        [Authorize(Roles = "Admin")] // Restrict access to authorized users with the "Admin" role
+
+        public IHttpActionResult GetUser(int id)
+        {
+            // Fetch user data from the database only if the user has the "Admin" role
+            var user = Database.GetUser(id);
+            return Ok(user);
+        }
+        // Other methods...
+    }
+}
+```
+
+## General prevention suggestions:
+
+* Before sending a request to a given URL, check and validate the URI and destination resource carefully.
+
+* Limit the ability to receive information from external sources and limit the list of authorized access to remote URLs.
+
+* Using Whitelist to show only valid addresses and allow access to them.
+
+* Validate and filter user input and URL-related parameters before using them in the request.
+
+* Use network restrictions, such as firewalls, to restrict access to external resources.
+
+* Training the development team to properly evaluate and validate a URI before using it in requests.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+