CTF 5 revealed (wizer-ctf.com/...) and the main key takeaways are:
Never count on UUIDs record ID as a form of securing your data:
Using a sequential ID or a UUID should be considered almost the same security level, which is basically none. You should always assume that there's a way to get those IDs. The best practice here is to implement proper access control including authentication and authorization, where the system validates that the current user is authorized to consume requested data.
NoSQL injections are real and exist in the wild:
Always make sure your code is well protected and the user-input is properly sanitized to prevent undesired access to data. Starting with a list of allowed values (and opening it up as needed) is always better than allowing all values and narrowing it down later.
Tighten the logic of the code and validate returned values:
In this case, /companies endpoint is designed to return a single record, while NoSQL Injection is possible, it is always important to add a logical layer to prevent access to unwanted data, is to check that the returned record is single and has the correct ID.
Wizer Free Security Awareness Training (wizer-training...) includes everything you need to train your employees how to protect themselves against cyber attacks. Yes, our basic plan is 100% free forever with free videos, quizzes, employee progress reports, and much more. Additional compliance training such as HIPAA, GDPR and Phishing simulation and Phishing Gamification are offered in our paid Boost version.
Get started here: www.wizer-trai...
Follow us and join in the conversations!
LinkedIn: / wizer-1-minute-security
Twitter: / wizertraining
Facebook: / staywizer
Негізгі бет Secure Coding Training - NoSQL injection and IDOR
Пікірлер