API: How do I pass parameters to a REST API without including them in the QueryString? (Overcome penetration testing issues before they occur)

A recent penetration test of some API code showed that user information (such as an email address) was being displayed in the querystring.

The API was:

[HttpPost]
[Route("api/MyAPIEndPoint")]
public void DoSomething(string login, string email) { // stuff }

A simple view of the endpoint with a browser would display the users details.
The network tab in Chrome showed "api/MyAPIEndPoint?login=X12345&email=test@test.com".

A new approach was required.
The solution is to include the data in the body of the Request.

The factory event is updated as follows:

function DoSomething(login, email, success, failure) {
var url = "/api/MyAPIEndPoint";

var parameter =
{
"Login": login,
                "Email": email
};

return executePost(url, parameter, success, failure);
}

function executePost(url, parameters, success, failure) {
var req = {
method: 'POST',
url: url,
data: parameters
};

$http(req).then(function (data) {
return success(data);
},
function (err) {
return failure(err);
}
);
}

And I added the following code to the endpoint to capture the parameters:

1. Declare a class to hold the data
private class Parameters()
{
public string Login {get;set;}
public string Email {get;set;}
}

2. Deserialise the JSON object from the request

HttpContent requestContent = Request.Content;
string jsonContent = requestContent.ReadAsStringAsync().Result;
Parameters userParams = JsonConvert.DeserializeObject<Parameters>(jsonContent);

I now have the parameters in the userParams class. 



Comments

Post a Comment

Popular posts from this blog

SharePoint 2013: Error updating managed account credentials

I encountered the following message when trying to change a password for a managed account: Error deploying administration application pool credentials. Another deployment may be active. An object of the type Microsoft.SharePoint.Administration.SPAdminAppPoolCredentialDeploymentJobDefinition named "job-admin-apppool-change" already exists under the parent Microsoft.SharePoint.Administration.SPTimerService named "SPTimerV4".  Rename your object or delete the existing object. The error message is self explanatory - Rename your object or delete the existing object.  I choose the latter. Powershell to the rescue. $job = Get-SPTimerJob -Identity "job-admin-apppool-change" $job.Delete() Reset the password and all should be good.
Read more

Error deploying Nintex workflow: An item with the same key has already been added

My client recently upgraded their version of Nintex Workflow 2010 and suddenly some of my workflows started to fail on deployment. The following error cropped up: Error deploying workflow: Server was unable to process request. ---> An item with the same key has already been added. ---> An item with the same key has already been added. WTF???? A little digging unveiled the problem - I had two items in a 'Create Item' shape with the SAME DISPLAYNAME. I needed to move the second item to a new 'Update Item' shape in order for it to work. I order to get the workflow to deploy, I had to manually remove the 'duplicate' item from the serialized XML. Hooray!! It was then a simple matter of creating a new shape to update the 'duplicate' value.
Read more