From 921561cf320a7f7c11970e88d3f6ffd978e82187 Mon Sep 17 00:00:00 2001 From: Jason White Date: Tue, 27 Jun 2017 11:33:39 -0400 Subject: [PATCH] mitigation content update ... 2 --- .../idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc index 15e60830a..8614f16e0 100644 --- a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc +++ b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc @@ -46,7 +46,7 @@ guessed, brute-forced or reverse engineered. This approach should not be the only protection used. It can be used as an additional layer. Your server must implement the logic of mapping client (indirect) to server (direct) references. -=== APIs +=== Access Control & APIs Many time, APIs or RESTFul endpoints rely on obscurity , a static 'key', or lack of imagination on the user's part to control access. Good options such as digitally signed JSON Web Tokens (https://jwt.io) are a good option for API authentication & access control using a combination of the claims and a digital/cryptographic signature to validate the consumer. Other emerging standards such as