diff --git a/Secure Coding - Unsafe Consumption of APIs.md b/Secure Coding - Unsafe Consumption of APIs.md new file mode 100644 index 0000000..3d4e292 --- /dev/null +++ b/Secure Coding - Unsafe Consumption of APIs.md @@ -0,0 +1,189 @@ +# Unsafe Consumption of APIs (API10:2023) +Due to the above vulnerability, the attacker is able to send or receive information from the sources of the supply chain or implement her desired requests in a specific group. + +* Example + +GET request to receive weather information from a third-party service: + +```html +GET /api/weather?location=New+York +``` + +### Non-compliant code (.NET) + +```c# +[ApiController] +[Route("api/weather")] +public class WeatherController : ControllerBase +{ + private readonly IWeatherService weatherService; + public WeatherController(IWeatherService weatherService) + { + this.weatherService = weatherService; + } + + // GET /api/weather + [HttpGet] + public IActionResult GetWeather(string location) + { + // Make a direct call to the third-party weather API + WeatherData weatherData = + weatherService.GetWeatherData(location); + + return Ok(weatherData); + } + + // Other methods... +} +``` + +### Compliant code (.NET) + +```c# +[ApiController] +[Route("api/weather")] +public class WeatherController : ControllerBase +{ + private readonly IWeatherService weatherService; + public WeatherController(IWeatherService weatherService) + { + this.weatherService = weatherService; + } + + // GET /api/weather + [HttpGet] + public IActionResult GetWeather(string location) + { + // Validate the location parameter and restrict access to trusted sources + if (!IsValidLocation(location)) + { + return BadRequest(); + } + + // Make a call to the third-party weather API through the weather service + WeatherData weatherData = weatherService.GetWeatherData(location); + + if (weatherData == null) + { + return NotFound(); + } + return Ok(weatherData); + } + private bool IsValidLocation(string location) + { + // Implement validation logic to ensure the location is safe and trusted + + // This could involve white-listing trusted sources or validating against a known set of safe locations + + // Return true if the location is valid, false otherwise + // Example: return Regex.IsMatch(location, "^[a-zA-Z]+(,[a-zA-Z]+)*$"); + + // Implement your validation logic here + // For simplicity, assuming any location is valid + return true; + } + + // Other methods... +} +``` + +## General prevention suggestions: + +* Trust data received from external APIs with caution and rigorous validation. + +* Check and verify the security and standards of the third-party service before connecting to it. + +* Using encryption to communicate with external services and prevent sending sensitive information normally. + +* Limiting access and levels allowed to third-party services and setting appropriate limits. + +* Implementing protection mechanisms such as prototyping and generalization to ensure the security and reliability of data received from external services. + +* Continuous monitoring and monitoring to detect and fix any defects in the security of external services. + +* Training developers about security principles and correct use of external APIs. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +