我正在设计一个供多个用户使用的Web应用程序(JavaScript + Web服务API),每个用户都有一个用户角色,其中数据保存在共享数据库和共享表中。至关重要的是,永远不允许用户访问未经授权的数据(基于其指定的角色)。
我担心以下情况造成的安全威胁:
用户X是组织A的管理员用户,想要添加用户 到组织A的报告联系人组。
使用用户界面,用户X首先在网络服务API中查询可用用户列表。
API对用户X进行身份验证和授权,并返回列表 用户记录用户X的角色配置文件授予他访问权限。
但是,在点击保存按钮之前,用户X会将不在授权列表中的用户ID注入用于更新联系人组的API调用中。
如何有效地保护我的网络服务API免受此类攻击?
或
答案 0 :(得分:0)
Unless you have very strict security requirements, I don't think exposing the PK ID values should be a major concern, but if it's practical, it's probably not a bad idea to abstract them away with some kind of substitution (just make sure you don't over-engineer that part, and risk introduce bugs or ID-collisions as a result).
In either case, what's important is that you repeat the authorization process before you complete a change. The simplest way to do this is probably just to repeat the call you did when getting the list of records in the first place, and getting a new list instead. Now you perform the change on some target record if and only if that target exists in this new list; the original list presented to User X is simply thrown away, and any change he has made to it will be irrelevant.