September 2017
Intermediate to advanced
244 pages
6h 44m
English
Insecure direct object reference refers to getting or providing sensitive information based on data coming from Request. This is not a problem in only RESTful web services but also in websites. To understand that, let's consider an example:
Let's say we are going to change a user's first name or billing address. It is better to refer it to an endpoint such as: PATCH /api/users/me?fist_name=Ali (having token in header), rather than PATCH /api/users/2?fist_name=Ali (having token in header).
To let a user modify his/her own data, it will have a token in the header by which a server will make sure that this user can modify a record. But, which record? In the endpoint with me, it will just get a user based on the ...
Read now
Unlock full access