REST API Review: Unexpected Security Lessons

-
While I was building the project, I wanted to review the REST API again and I found the good resources to study it. Instead of me explaining all about REST API, I would like to share this website.

https://www.freecodecamp.org/news/build-consume-and-document-a-rest-api/

What I honestly didn't know about in REST API is:
  • Security concerns: REST APIs can be vulnerable to security attacks such as cross-site scripting (XSS) and cross-site request forgery (CSRF) if not implemented properly.

then why is it so?


Cross-Site Scripting (XSS)

  • How it works:

    • XSS occurs when malicious scripts are injected into web applications that other users view.
    • In the context of REST APIs, if an API accepts user-supplied data (e.g., in a request body or query parameter) and doesn't properly sanitize it before returning it in a response, that data could contain malicious JavaScript.
    • When a client-side application (like a web browser) receives the API response and renders it, the injected script executes, potentially stealing sensitive data (like cookies or session tokens) or performing unauthorized actions.

  • Why REST APIs are vulnerable:

    • REST APIs often return data in formats like JSON or XML, which can be easily parsed and manipulated by client-side JavaScript.
    • If the API doesn't encode or sanitize user-supplied data before including it in the response, it becomes a vector for XSS attacks.
    • Many APIs are designed to be used by web applications, therefore the data they provide will be rendered into a web page.

  • Example:

    • Imagine an API that returns user comments. If a user submits a comment containing <script>alert('XSS');</script>, and the API returns this comment without proper sanitization, any client-side application displaying the comment will execute the alert.

Cross-Site Request Forgery (CSRF)

  • How it works:

    • CSRF exploits the trust a website has in a user's browser.
    • An attacker tricks a user into performing an unwanted action on a website where they're currently authenticated.
    • This is done by embedding malicious code (e.g., in an image tag or a hidden form) on a website the attacker controls.
    • When the user visits the attacker's website, the malicious code sends a request to the vulnerable website, leveraging the user's existing authentication.

  • Why REST APIs are vulnerable:

    • REST APIs often rely on browser-based authentication (like cookies).
    • If an API endpoint performs state-changing operations (like creating, updating, or deleting data) and doesn't implement CSRF protection, an attacker can craft a request that triggers these operations.
    • If the API relies solely on cookies for authentication, and does not check for other security tokens, then any request from the users browser will contain the authentication cookie, and therefor be valid.


  • Example:

    • Imagine a banking API with an endpoint /transfer?to=attacker&amount=1000. An attacker can embed an image tag like <img src="bank.com/transfer?to=attacker&amount=1000"> on their website. If a logged-in user visits the attacker's website, their browser will automatically send the request to the banking API, transferring money to the attacker.

Comments

Post a Comment

Popular posts from this blog

@ModelAttribute vs @RequestBody in Validation

-
Image
1. What is @ModelAttribute? What does it do? @ModelAttribute is primarily used to bind request data like HTML form data or query parameters (e.g., ?name=abc&price=100) to objects. In other words, it converts data entered by users in forms into objects that can be easily handled by controllers. How does it work? It maps HTTP request parameters (e.g., name, price) individually to object properties on a field-by-field basis. For example, if an ItemSaveForm object has name and price fields, request parameters name="book" and price=1000 would be set as itemSaveForm.setName("book"), itemSaveForm.setPrice(1000). Important characteristic : Even if there's a problem with one field (e.g., price has an invalid value like "abc" that can't be converted to a number), the other fields (e.g., name) are still bound normally. It has a structure that can partially succeed. Advantages: Flexibility: Since it processes on a field-by-field basis, even if certain fiel...
Read more

Side Project(a self-imposed 3-day "Hackathon" challenge)

-
Excited to share my side project(a self-imposed 3-day "Hackathon" challenge! 🤣) built with React, TypeScript, Node.js, and Express.js! I created this app for my wife to help her study Korean, using a custom CSV dataset I generated with Grok 3. Right now, she’s using it locally on her laptop, and it’s been a great tool for her learning journey. If you’re interested in learning Korean in English, I think this could be a helpful resource! Check out the GitHub repository here: https://github.com/bitcham/Korean?tab=readme-ov-file Open to feedback! Let me know what you think.
Read more

Google: The King is Back

-
When OpenAI released ChatGPT, many believed Google had been dethroned from its position as the king of AI. However, without much fanfare, Google has been steadily driving innovation in artificial intelligence. Not just in models, but also in features and practical applications. As the giant behind platforms like Google Maps, YouTube, and Google Search, Google is now shining brightly in the realm of multimodal AI generation. In this post, I’d like to dive into Google’s recent AI advancements, spotlighting Gemini 2.0, Gemma 3, and the exciting features of the Gemini App. Gemini 2.0: Mastering Image Manipulation and Generation Gemini 2.0 is a powerhouse AI model that takes image manipulation and generation to the next level. It can effortlessly edit and enhance photos by removing unwanted objects, reshaping elements, or even creating realistic passport photos from existing images. This impressive capability stems from Google’s use of Tensor Processing Units (TPUs), which optimize learni...
Read more