Comments (2)
OWASP Top 10 Details
We will need to go through all API endpoints and apply these guides
- Sql injection: Injection flaws, such as SQL, OS, XXE, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter
into executing unintended commands or accessing data without proper authorization. - Application functions related to authentication and session management are often implemented
incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit
other implementation flaws to assume other users’ identities (temporarily or permanently) - Cross-site scripting
- Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers
can exploit these flaws to access unauthorized functionality and/or data, such as access other
users' accounts, view sensitive files, modify other users’ data, change access rights, etc. - Good security requires having a secure configuration defined and deployed for the application,
frameworks, application server, web server, database server, platform, etc. Secure settings
should be defined, implemented, and maintained, as defaults are often insecure. Additionally,
software should be kept up to date. - Many web applications and APIs do not properly protect sensitive data, such as financial,
healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit
card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as
encryption at rest or in transit, as well as special precautions when exchanged with the browser - The majority of applications and APIs lack the basic ability to detect, prevent, and respond to
both manual and automated attacks. Attack protection goes far beyond basic input validation
and involves automatically detecting, logging, responding, and even blocking exploit attempts.
Application owners also need to be able to deploy patches quickly to protect against attacks - Cross-Site Request Forgery (CSRF)
- Components, such as libraries, frameworks, and other software modules, run with the same
privileges as the application. If a vulnerable component is exploited, such an attack can facilitate
serious data loss or server takeover. Applications and APIs using components with known
vulnerabilities may undermine application defenses and enable various attacks and impacts. - Modern applications often involve rich client applications and APIs, such as JavaScript in the
browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC,
GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities.
from voyage-api-dotnet.
Need some insights on the last bullet point @maniphanh @ajayboina
from voyage-api-dotnet.
Related Issues (20)
- Write unit tests for AccountController endpoints HOT 1
- Write unit tests for VerificationService HOT 3
- Create admin API HOT 3
- Security Questions HOT 3
- Move build to Cake
- We need to add File.txt root API project for status endpoint to read off HOT 4
- Operations: Clean up AWS DB HOT 1
- Update endpoint documentation to feed Swagger HOT 1
- SPIKE: Microservices Architecture
- (Performance) Remove Task.Run from service layer and add new base async repository instead
- Activity Audit Middleware deadlocks HOT 4
- Nuget Packages Feed
- Remove the validation of header grant_type in token auth password validation HOT 1
- Convert /accounts to /profiles/register HOT 1
- /accounts POST accepts a param of "phoneNumbers" and has a response of "phone" HOT 1
- Update HTTP Status Code for User Verify required to be 403 instead of 401 HOT 1
- Move to LocalDB
- Refactor JWT Signing HOT 1
- Add Docker Support
- Hard-coded password
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from voyage-api-dotnet.