FixVibe
Covered by FixVibemedium

API Lissafin Tsaro: Abubuwa 12 da Ya kamata Ka Bincika Kafin Rayuwa

APIs sune ƙashin bayan aikace-aikacen gidan yanar gizo na zamani amma galibi basu da ƙarfin tsaro na gaba-gaba na gargajiya. Wannan labarin binciken yana zayyana mahimman jerin abubuwan bincike don tabbatar da APIs, mai da hankali kan ikon samun dama, iyakance ƙima, da raba albarkatu na asali (CORS) don hana keta bayanai da cin zarafin sabis.

CWE-285CWE-799CWE-942

Tasiri

APIs ɗin da aka daidaita suna ba da damar maharan su ketare mu'amalar masu amfani da mu'amala kai tsaye tare da bayanan bayanan baya da sabis [S1]. Wannan na iya haifar da ɓarna bayanai mara izini, karɓar asusu ta hanyar ƙarfi-ƙarfi, ko rashin samun sabis saboda gajiyar albarkatu [S3][S5].

Tushen Dalili

Tushen tushen tushen shine bayyanar da tunani na ciki ta hanyar ƙarshen ƙarshen waɗanda basu da isasshen inganci da kariya [S1]. Masu haɓakawa galibi suna ɗauka cewa idan fasalin ba a iya gani a cikin UI, yana da amintacce, yana haifar da karyewar ikon sarrafawa [S2] da manufofin CORS masu izini waɗanda suka amince da tushen [S4] masu yawa.

Muhimmancin API Jerin Tsaro

  • Ƙaddamar da Ƙuntataccen Ikon Samun Dama *: Kowane wurin ƙarshe dole ne ya tabbatar da cewa mai nema yana da izini masu dacewa don takamaiman albarkatun da ake isa ga [S2].
  • Ƙayyadaddun Ƙimar Ƙidaya *: Kariya daga cin zarafi ta atomatik da hare-haren DoS ta hanyar iyakance adadin buƙatun da abokin ciniki zai iya yi a cikin takamaiman lokaci [S3].

Saukewa: ZXCVFIXVIBESEG10

  • Sanya CORS Daidai: Ka guji amfani da asalin kati (*) don ingantattun wuraren ƙarewa. Bayyana ainihin asalin da aka ba da izini don hana zubar bayanan giciye [S4].

Saukewa: ZXCVFIXVIBESEG11

  • Duban Ƙarshen Ƙarshen Bincike *: Yi bincike akai-akai don "ɓoye" ko wuraren da ba a rubuta ba wanda zai iya fallasa ayyuka masu mahimmanci [S1].

Saukewa: ZXCVFIXVIBESEG12

Yadda FixVibe yayi gwajinsa

Saukewa: ZXCVFIXVIBESEG13 FixVibe yanzu ya rufe wannan jerin abubuwan dubawa ta hanyar duban rayuwa da yawa. Abubuwan bincike masu aiki-gated suna gwada ƙimar ƙimar ƙarshen ƙarshen, CORS, CSRF, allurar SQL, raunin-gudanar ruwa, da sauran batutuwan da ke fuskantar API kawai bayan tabbatarwa. Binciken wucewa yana duba kanun tsaro, bayanan API na jama'a da buɗaɗɗen API, da kuma sirrin cikin dam ɗin abokin ciniki. Repo scans yana ƙara sake duba haɗarin matakin lamba don rashin aminci CORS, tsattsauran ra'ayi na SQL, raunin JWT asirin, amfani da JWT-kawai, amfani da sa hannun webhook, da matsalolin dogaro.