dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mitigation content update ... 2

Browse Source
This commit is contained in:
Jason White 2017-06-27 11:33:39 -04:00
parent ebb851b361
commit 921561cf32
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc
View File

@ -46,7 +46,7 @@ guessed, brute-forced or reverse engineered.
This approach should not be the only protection used. It can be used as an additional layer. Your server must This approach should not be the only protection used. It can be used as an additional layer. Your server must
implement the logic of mapping client (indirect) to server (direct) references. implement the logic of mapping client (indirect) to server (direct) references.
=== APIs === Access Control & APIs
Many time, APIs or RESTFul endpoints rely on obscurity , a static 'key', or lack of imagination on the user's part to control access. Many time, APIs or RESTFul endpoints rely on obscurity , a static 'key', or lack of imagination on the user's part to control access.
Good options such as digitally signed JSON Web Tokens (https://jwt.io) are a good option for API authentication & access control using a Good options such as digitally signed JSON Web Tokens (https://jwt.io) are a good option for API authentication & access control using a
combination of the claims and a digital/cryptographic signature to validate the consumer. Other emerging standards such as combination of the claims and a digital/cryptographic signature to validate the consumer. Other emerging standards such as