Tuesday, 2 August 2016

API: How do I pass parameters to a REST API without including them in the QueryString? (Overcome penetration testing issues before they occur)

A recent penetration test of some API code showed that user information (such as an email address) was being displayed in the querystring.

The API was:

public void DoSomething(string login, string email) { // stuff }

A simple view of the endpoint with a browser would display the users details.
The network tab in Chrome showed "api/MyAPIEndPoint?login=X12345&email=test@test.com".

A new approach was required.
The solution is to include the data in the body of the Request.

The factory event is updated as follows:

function DoSomething(login, email, success, failure) {
var url = "/api/MyAPIEndPoint";

var parameter =
"Login": login,
                "Email": email

return executePost(url, parameter, success, failure);

function executePost(url, parameters, success, failure) {
var req = {
method: 'POST',
url: url,
data: parameters

$http(req).then(function (data) {
return success(data);
function (err) {
return failure(err);

And I added the following code to the endpoint to capture the parameters:

1. Declare a class to hold the data
private class Parameters()
public string Login {get;set;}
public string Email {get;set;}

2. Deserialise the JSON object from the request

HttpContent requestContent = Request.Content;
string jsonContent = requestContent.ReadAsStringAsync().Result;
Parameters userParams = JsonConvert.DeserializeObject<Parameters>(jsonContent);

I now have the parameters in the userParams class. 

No comments:

Post a comment