Code Reusable cause Leaky Web API

I am going to share about common mistake of Web API. When I was a software developer long time ago, We need to develop effective code by doing function or code reusable as much as possible in order not to redevelop things again and again.

Usually with the above mindset, it is often that the developer will create a very big function that could handle manything to return data where later the data that is returned by that function will be filtered out again as per needed. For example getting the user profile function will return all user details (name, email address, phone, password and etc) but the actual needs is only to show the name.

Lets see the sample below

There is an http API called to feed the information in the mobile apps GUI to show the username and his comments on the post

But after checking the server response from that API call, I found that it returned more data then I need such as Lastname, Email address and even Password.

There is a possibility that the developer wants to reuse the API code for serveral purpose including the scenario above to achieve effectiveness so that less code to be maintained. But from the perspective of security, it gives unnecessary data leakage because the adversaries could intercept the response from the API call by proxying it and see this in clear text

This is one of the reason why we need to do Secure SDLC because there are two mindset need to be mixed all together to achieve effective and secure code. Usually the security analyst will involve during the design phase and also do regular code review to assess the security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s