2.9 KiB
2.9 KiB
Unrestricted Access to Sensitive Business Flows (API6:2023)
Due to this vulnerability, the attacker has the possibility of exploiting the authorized functions of the program for unauthorized purposes.
- Example
POST request for air ticket purchase by providing passenger details:
POST /api/tickets/buy
Body:
{
"passenger_name": "John Doe",
"flight_number": "AB123",
"departure_date": "2023-07-01"
}
Non-compliant code (.NET)
[Route("api/orders")]
public class OrderController : ApiController
{
private readonly IOrderService _orderService;
public OrderController(IOrderService orderService)
{
_orderService = orderService;
}
[HttpPost]
public IHttpActionResult CreateOrder(OrderRequest request)
{
// Create a new order without proper validation
Order order = _orderService.CreateOrder(request);
// Return the created order
return Ok(order);
}
[HttpGet]
[Route("{orderId}")]
public IHttpActionResult GetOrder(string orderId)
{
// Get the order by ID without proper authorization
Order order = _orderService.GetOrder(orderId);
// Return the order
return Ok(order);
}
// Other methods...
}
Compliant code (.NET)
[Route("api/orders")]
public class OrderController : ApiController
{
private readonly IOrderService _orderService;
public OrderController(IOrderService orderService)
{
_orderService = orderService;
}
[HttpPost]
[Authorize(Roles = "Admin")]
public IHttpActionResult CreateOrder(OrderRequest request)
{
// Validate the request and create a new order with proper authorization
Order order = _orderService.CreateOrder(request);
// Return the created order
return Ok(order);
}
[HttpGet]
[Route("{orderId}")]
[Authorize(Roles = "User")]
public IHttpActionResult GetOrder(string orderId)
{
// Authorize the user's access to the order
// Only users with the "User" role can access the order
Order order = _orderService.GetOrder(orderId);
// Return the order
return Ok(order);
}
// Other methods...
}
General prevention suggestions:
-
Implementation of user authentication and validation mechanisms before accessing sensitive business flow.
-
Checking and validating user data and inputs carefully, including validating dates and input formats.
-
Applying logical restrictions and rules to access sensitive business flow.
-
Using logging and monitoring systems to reveal and track suspicious or inappropriate activities in business flows.
-
Providing and using intermediaries (Gateways API) that provide the ability to control and manage access to business flows.