Regarding the security of interface design, there are two main security issues that need to be considered. One is the issue of interface access verification and permissions, which mainly solves the legality of interface access (user login verification, source verification, frequency control, etc.); the other is data transmission security. Mainly solve interface data being monitored and tampered and interface error handling (HTTPS secure transmission, sensitive content encryption, digital signature, etc.).
1. Interface call replay attack
It is common in the SMS/email & verification code interface, order generation, comment submission, etc. It needs to verify the legality of the request. The legality of the request mainly refers to how to prevent the API from being illegally called.
Repair suggestions:
1. Use the verification code mechanism for comment submission and other operations to prevent the data generation business from being maliciously invoked;
2. The SMS/email interface needs to control the frequency of docking calls or limit the upper limit;
3. Each order (interface access) uses a unique token. After one submission, the token becomes invalid.
2. Interface call traversal vulnerability
The web interface generally encapsulates some common functional requirements, and obtains corresponding data or performs corresponding functions by passing in different parameters. The most common scenario is to pass in the id parameter through the interface and return the corresponding id information. Such interfaces are prone to unauthorized access or unauthorized access if the request is not strictly checked for legality.
Repair suggestions:
1. Store the current user's credential or id in the session, and only return the result if the passed credential or id parameter value is consistent with that in the session.
Generally involving the interface of identity verification, do not directly transfer the plaintext information of sensitive information between the client and the server. You can associate the sensitive information with the user ID on the server, and save the user ID on the client and submit it to the service. At the end, the server takes out the corresponding information according to the ID and performs verification;
3. Interface call parameter tampering vulnerability
In the business link of SMS and email calling, such as SMS verification code and email verification code. After the mobile phone number or email address parameters in the modification corresponding request are submitted, if the modified mobile phone number or email receives the information sent by the system, it means that the interface parameters can be tampered with.
Repair suggestions:
1. The important credentials are stored in the session. In the business of forgetting the password and resending the verification code, obtain the user credentials from the session instead of the parameters requested by the customer;
2. Obtain account information such as mobile phone number and email address from the client, and verify it with the credentials in the session, and only allow business operations after the verification is passed.
4. Unauthorized access/call vulnerabilities of the interface
In normal business, the interface of the sensitive function needs to verify the identity of the visitor, and the interface is allowed to be called for operation only after the verification is passed. The interface is not authenticated or the identity verification is not strict, which may lead to unauthorized access or unauthorized calls. The unauthorized access is divided into vertical ultra-authority and horizontal ultra-authority.
Repair suggestions:
1. Using the Token verification method, add a Token parameter to the url. Only when the Token verification is passed, the interface data is returned and the Token becomes invalid after one use;
2. When the interface is called, the server verifies the state of the session. If it is logged in, it returns the interface data; if it is not logged in, it returns a custom error message;
3. Perform session authentication for unauthorized access interfaces, authenticate each URL that the user visits, and verify the user id and token correctly;
3. The server needs to verify the uniqueness of the identity and verify the source of the access interface. Different identities can only be viewed, modified, deleted, and added to their own information.