API: How do I pass parameters to a REST API without including them in the QueryString? (Overcome penetration testing issues before they occur)
A recent penetration test of some API code showed that user information (such as an email address) was being displayed in the querystring.
The API was:
[HttpPost]
[Route("api/MyAPIEndPoint")]
public void DoSomething(string login, string email) { // stuff }
A simple view of the endpoint with a browser would display the users details.
The network tab in Chrome showed "api/MyAPIEndPoint?login=X12345&email=test@test.com".
A new approach was required.
The solution is to include the data in the body of the Request.
The factory event is updated as follows:
function DoSomething(login, email, success, failure) {
var url = "/api/MyAPIEndPoint";
var parameter =
{
"Login": login,
"Email": email
};
return executePost(url, parameter, success, failure);
}
function executePost(url, parameters, success, failure) {
var req = {
method: 'POST',
url: url,
data: parameters
};
$http(req).then(function (data) {
return success(data);
},
function (err) {
return failure(err);
}
);
}
The API was:
[HttpPost]
[Route("api/MyAPIEndPoint")]
public void DoSomething(string login, string email) { // stuff }
A simple view of the endpoint with a browser would display the users details.
The network tab in Chrome showed "api/MyAPIEndPoint?login=X12345&email=test@test.com".
A new approach was required.
The solution is to include the data in the body of the Request.
The factory event is updated as follows:
function DoSomething(login, email, success, failure) {
var url = "/api/MyAPIEndPoint";
var parameter =
{
"Login": login,
"Email": email
};
return executePost(url, parameter, success, failure);
}
function executePost(url, parameters, success, failure) {
var req = {
method: 'POST',
url: url,
data: parameters
};
$http(req).then(function (data) {
return success(data);
},
function (err) {
return failure(err);
}
);
}
And I added the following code to the endpoint to capture the parameters:
1. Declare a class to hold the data
private class Parameters()
{
public string Login {get;set;}
public string Email {get;set;}
}
2. Deserialise the JSON object from the request
HttpContent requestContent = Request.Content;
string jsonContent = requestContent.ReadAsStringAsync().Result;
Parameters userParams = JsonConvert.DeserializeObject<Parameters>(jsonContent);
I now have the parameters in the userParams class.
Comments
Post a Comment