客户端知道所有端点名称是否构成安全风险?

huangapple go评论57阅读模式
英文:

Does the client knowing all the endpoint names pose a security risk?

问题

在辩论的背景下,出现了一个问题:当客户端知晓所有端点名称时,应考虑哪些安全措施?情景涉及客户端知晓服务在服务器端暴露的具体位置或地址。

英文:

In the context of a debate, the question arises: What security measures should be considered when the client possesses knowledge of all the endpoint names? The scenario involves the client being aware of the specific locations or addresses where services are exposed on the server side.

答案1

得分: 0

并不比某人知道网站的URL有什么不同?

只要这些API不使用数据库的主键ID,或者在这种情况下,API限制数据基于用户的登录与给定的数据库主键ID相关。

所以,不,这不应该是一个问题。

通常情况下,我不会在客户端网页(JavaScript)上公开数据库的主键ID,也不允许API调用这样做。

然而,在允许传递数据库主键ID的情况下,必须强制执行基于用户登录的限制(服务器端),否则我可以传递别人的信用卡号并获取他们的余额,正如前面所述。

然而,如前所述,对于一般允许或使用或公开数据库主键ID的网页,还必须进一步进行测试和过滤。

所以,即使是一个简单的页面上的一个提示输入发票号码的文本框?嗯,该发票余额或发票号码查询仍然必须基于用户的登录来限制数据。

因此,对于一个简单的Web API,以及用于数据查询的简单数据输入页面上的任何简单数据输入?

用户输入必须是防止SQL注入的安全,通常返回的数据集也必须基于用户的登录进行过滤。

因此,无论是一个简单的网页还是一个简单的API调用,规则都基本相同。

例如,在一个简单的网页上,如果用户从表(或网格视图或其他任何东西)中选择一个值,那么在这种情况下,我不会公开数据库的主键。相反,我会将仅选择的行索引传递给服务器端代码。然而,在Web API的情况下,该表的数据键列表不太可能已被保留或可用。因此,再次说到,无论是提示输入某个“ID”的简单文本框还是API调用?基本上都适用相同的规则。

因此,结果是,基于接受输入的基本网页或API调用,不应该有更多或更少的安全风险。

因此,从某个特定网页或特定Web API的知识不应该有所影响。

另一方面,如果这些API可以执行原始的数据库函数,那么你就会面临巨大的安全问题。然而,这个安全问题不是某个API或某个网页的结果,而是设计确保这种用户提供的输入是有效的,也不会危险,也不会允许某人获取或获取不属于当前用户的数据的结果。

英文:

Not really any different then someone knowing URL's of a web site?

As long as those API's don't use database PK id's, or if in that case the API's limit data to a given database PK based on the user's logon.

So, no, it should not be a issue.

I don't as a general rule expose database PK id's to the client side web page (JavaScript), nor do I allow as such for a API calls.

However, in the cases that database PK id's are allowed to be passed, then a restriction (server side) based on the users logon has to be enforced, else I could pass say a credit card number that belongs to someone else and say get their balance.

However, as noted, the same basic restrictions for a web page in general that allows or uses or exposes say a database PK id to the client side web page has to be further tested and filtered.

So, even a simple textbox on a page that prompts for say a invoice number? Well, that invoice balance or invoice number query still has to restrict data based on the users logon.

Quite much the same basic concepts are thus applied to a web API, and like any simple data input used for data query on a simple data entry page?

That user input has to be SQL injection safe, and often that data set returned also has to be filtered based on the user's logon.

So be this a simple web page, or a simple API call, the rules are quite much the same.

For example, on a simple web page, if a user selects a value from a table (or gridview, or whatever), then I don't expose the database PK's in that case, and I'll pass JUST the row index selection to server side code. However, with a web API, then the datakeys list for that table is unlikely to have been persisted or available. Thus, once again, be this a simple text box that prompts for some "id", or a API call? Quite much the same rules apply.

So, as a result, there should be no more, or less security risk from a basic web page that accepts input, or that of a API call.

And thus it follows that knowledge of a particular web page, or a particular web API should not matter.

On the other hand, if those API can say execute raw database functions, then you have a huge security issue. However, that security issue is not the result of some API, or some web page, but that of design ensuing that such user supplied input is valid, and also not dangerous, nor can it allow one to get or grab data that does not belong to the current user in question.

huangapple
  • 本文由 发表于 2023年6月11日 22:29:30
  • 转载请务必保留本文链接:https://go.coder-hub.com/76450958.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定