Meta tags:
description= Coding;
Headings (most frequently used words):
js, workshop, the, step, server, client, api, part, code, app, posts, php, bank, demo, version, example, 1️⃣, json, 2️⃣, 3️⃣, vs, python, node, core, mobile, blockchain, breakdown, file, create, anjar, priandoyo, package, openapi, tagged, coding, hello, world, environment, setup, commands, banking, key, audit, takeaways, migration, shoutout, whiteboard, flutter, restaurant, hiking, mountain, apps, py, system, execution, steps, gorm, native, sql, demonstrate, hashing, block, tampering, powerful, for, auditors, chain, validation, optional, proof, of, work, bola, broken, authentication, excessive, data, exposure, categories, tags, top, recent, arsip, blog, stats, contact, me,
Text of the page (most frequently used words):
the (138), api (96), app (57), data (51), const (51), for (41), #server (40), res (40), and (39), this (32), req (32), map (31), json (31), workshop (30), express (29), get (27), code (27), user (26), februari (24), maret (24), console (24), log (22), desember (21), with (21), users (21), node (21), web (20), oktober (20), januari (20), backend (20), name (20), what (20), november (19), april (19), mei (19), juni (19), agustus (19), september (19), 2026 (19), coding (19), from (19), error (19), priandoyo (18), juli (18), client (18), audit (18), version (17), port (17), anjar (16), how (16), mobile (16), secure (16), security (15), simple (15), 2015 (14), return (14), block (14), customers (14), run (13), flask (13), folium (13), participants (13), application (13), architecture (13), can (13), structured (13), access (13), weather (13), javascript (13), balance (13), openapi (13), hash (13), bank (13), dalam (12), 2006 (12), 2007 (12), 2008 (12), 2014 (12), 2016 (12), 2017 (12), 2018 (12), 2019 (12), 2020 (12), 2021 (12), 2022 (12), 2023 (12), 2024 (12), 2025 (12), running (12), are (12), apis (12), not (12), system (12), that (12), description (12), now (12), authentication (12), customer (12), tagged (11), import (11), 107 (11), endpoint (11), logic (11), create (11), concept (11), hello (11), style (11), php (11), color (11), token (11), username (11), 2010 (10), 2011 (10), business (10), ditulis (10), written (10), mountains (10), height (10), mountain (10), service (10), systems (10), control (10), leave (10), comment (10), demo (10), html (10), password (10), auditors (10), self (10), com (9), login (9), digital (9), print (9), url (9), key (9), modern (9), only (9), returns (9), using (9), browser (9), body (9), strong (9), https (9), file (9), does (9), 2013 (8), governance (8), risk (8), def (8), display (8), interactive (8), frontend (8), where (8), see (8), python (8), use (8), status (8), basecamp (8), div (8), time (8), swagger (8), 2012 (7), 100 (7), step (7), core (7), marker (7), 106 (7), install (7), single (7), exposure (7), apps (7), example (7), main (7), current (7), path (7), waterfall (7), cibodas (7), leaflet (7), database (7), should (7), params (7), object (7), require (7), response (7), 8000 (7), via (6), email (6), payment (6), list (6), banking (6), public (6), route (6), 3000 (6), build (6), lat (6), lon (6), dependencies (6), google (6), based (6), information (6), real (6), like (6), one (6), start (6), auditor (6), http (6), title (6), mvc (6), page (6), new (6), microservices (6), text (6), button (6), index (6), icon (6), napp (6), find (6), authorization (6), check (6), bob (6), previous_hash (6), result (6), tunnel (6), ojk (6), datetime (6), echo (6), situs (5), 2009 (5), weight (5), testing (5), min_height (5), request (5), __name__ (5), add_to (5), gunung (5), end (5), session (5), becomes (5), these (5), design (5), exposed (5), demonstrates (5), understanding (5), today (5), expose (5), world (5), localhost (5), listen (5), font (5), padding (5), send (5), await (5), internal (5), medium (5), implementation (5), laravel (5), logging (5), validation (5), used (5), you (5), script (5), polyline (5), alertdiv (5), addto (5), cibeureum (5), rest (5), opacity (5), width (5), 10px (5), post (5), broken (5), verify (5), docs (5), alice (5), true (5), npm (5), terminal (5), bypass (5), userid (5), date (5), wordpress (4), through (4), top (4), management (4), development (4), life (4), jsonify (4), highest (4), java (4), popup (4), location (4), visualization (4), requests (4), they (4), understand (4), interface (4), who (4), controls (4), filtering (4), why (4), must (4), without (4), day (4), multiple (4), layer (4), focus (4), environment (4), services (4), instead (4), active (4), view (4), microservice (4), head (4), fetch (4), simulating (4), high (4), spa (4), mpa (4), centralized (4), level (4), controller (4), framework (4), prompt (4), github (4), blue (4), none (4), change (4), add (4), hiking (4), margin (4), border (4), radius (4), flutter (4), monolith (4), changes (4), idea (4), total (4), protection (4), necessary (4), principle (4), missing (4), sensitive (4), account (4), documentation (4), explain (4), chain (4), blocks (4), block1 (4), localtunnel (4), my_key (4), headers (4), axios (4), secret (4), incomingkey (4), valid_api_key (4), part (4), ini (3), langganan (3), atau (3), blog (3), 2004 (3), 2005 (3), fraud (3), case (3), posts (3), yang (3), indonesia (3), science (3), type (3), endpoints (3), dataset (3), will (3), structure (3), clear (3), questions (3), when (3), into (3), insight (3), minimal (3), about (3), software (3), rely (3), between (3), rules (3), learn (3), before (3), shared (3), consistency (3), way (3), responses (3), returned (3), concepts (3), during (3), designed (3), setup (3), volcanoes (3), all (3), package (3), calls (3), usd (3), rate (3), rain (3), low (3), question (3), notes (3), distributed (3), scaling (3), pattern (3), depends (3), navigation (3), coupling (3), rendering (3), pages (3), purpose (3), statusdiv (3), else (3), red (3), 7562 (3), 9930 (3), bindpopup (3), goal (3), 7454 (3), 0011 (3), area (3), telaga (3), biru (3), 7395 (3), 0018 (3), markers (3), line (3), coordinates (3), opentopomap (3), alert (3), class (3), box (3), trail (3), overlay (3), white (3), background (3), href (3), telaga_biru (3), include (3), docker (3), discussion (3), handling (3), postman (3), same (3), restaurant (3), figma (3), clean (3), category (3), likes (3), cards (3), header (3), source (3), fields (3), record (3), excessive (3), uses (3), identity (3), 403 (3), allowed (3), bola (3), attacks (3), requester (3), specific (3), stack (3), swaggerui (3), 404 (3), found (3), previous (3), blockchain (3), block2 (3), pays (3), transaction (3), genesis (3), integrity (3), hashlib (3), first (3), native (3), 8080 (3), message (3), bank_api_url (3), userdata (3), accounts (3), bash (3), dengan (2), wajib (2), komentar (2), berlangganan (2), buat (2), gratis (2), contact (2), 117 (2), 111 (2), 112 (2), arsip (2), evolution (2), music (2), study (2), engineering (2), never (2), apply (2), gaji (2), sustainability (2), sleep (2), monthly (2), language (2), minggu (2), ngrok (2), filtered (2), available (2), west (2), home (2), run_with_ngrok (2), zoom_start (2), simulation (2), pip (2), colab (2), working (2), more (2), once (2), abstract (2), professionals (2), better (2), stored (2), visualized (2), something (2), dashboards (2), platforms (2), organizations (2), matters (2), work (2), many (2), communication (2), teams (2), layers (2), live (2), interact (2), immediately (2), impact (2), organized (2), enables (2), integration (2), programming (2), simply (2), outside (2), clearly (2), made (2), parameters (2), each (2), has (2), powerful (2), interaction (2), building (2), installation (2), just (2), learning (2), its (2), scripts (2), internally (2), fxdata (2), weatherdata (2), family (2), arial (2), fxresponse (2), weatherresponse (2), async (2), 000 (2), scalability (2), simplicity (2), best (2), fintech (2), common (2), routing (2), performance (2), complexity (2), model (2), mostly (2), state (2), partial (2), full (2), reload (2), every (2), centric (2), dynamic (2), content (2), ruby (2), vue (2), angular (2), react (2), mode (2), sample (2), weak (2), another (2), demonstrate (2), copy (2), paste (2), setstyle (2), innertext (2), document (2), getelementbyid (2), weatheralert (2), function (2), togglealert (2), trailpoints (2), draw (2), 7513 (2), 9958 (2), define (2), tiles (2), 745 (2), 001 (2), unpkg (2), dist (2), mvp (2), bold (2), 8px (2), blink (2), css (2), codepen (2), fastest (2), even (2), creating (2), studio (2), green (2), platform (2), maps (2), library (2), kamis (2), hands (2), order (2), databases (2), logs (2), network (2), observability (2), external (2), transactions (2), codespaces (2), submit (2), floating (2), opens (2), form (2), material (2), avatar (2), timestamp (2), tag (2), dashboard (2), kpi (2), ideas (2), innovation (2), hub (2), claude (2), optional (2), simulated (2), dartpad (2), shoutout (2), whiteboard (2), target (2), safeusers (2), required (2), minimization (2), proper (2), tokens (2), forbidden (2), issue (2), but (2), 3️⃣ (2), mechanisms (2), predictable (2), 2️⃣ (2), parseint (2), 1️⃣ (2), may (2), parameter (2), ids (2), perspective (2), project (2), configuration (2), contract (2), specification (2), charlie (2), contains (2), defines (2), summary (2), retrieve (2), 200 (2), mining (2), false (2), validate_chain (2), tampering (2), fingerprint (2), calculate_hash (2), block_string (2), sha256 (2), encode (2), hexdigest (2), then (2), transfer (2), btc (2), hash_result (2), gorm (2), sql (2), jumat (2), curl (2), command (2), npx (2), checkbankbalance (2), user123 (2), call (2), messages (2), catch (2), currency (2), reminder (2), loca (2), acts (2), invalid (2), mock (2), truth (2), holds (2), back (2), observe (2), runs (2), custom (2), production (2), breakdown (2), represents (2), accessed (2), out (2), installs (2), cloud (2), tolocaletimestring (2), strftime (2), __main__ (2), host (2), mulai, rancang, seperti, nama, surel, tulis, memuat, ciutkan, bilah, kelola, lihat, pembaca, laporkan, isi, masuk, daftar, privasi, sudah, punya, akun, sekarang, daftarkan, saya, bergabung, 457, pelanggan, lain, tema, journalist, gmail, 130, 152, hits, stats, 115, 109, 128, 122, 114, 102, 104, 110, 105, 133, 116, 101, 119, 137, 166, pilih, bulan, mediation, ikan, bakar, pak, tardjo, speak, symbol, social, penipuan, manajemen, risiko, pengelolaan, bpr, afternoon, walk, prevention, pay, upfront, over, demand, recent, perlukah, sinar, mas, telecom, cara, membasmi, tikus, untung, rugi, kuliah, kritik, bus, coyo, sudut, tajam, berbahaya, antara, hino, dan, mercedes, suara, hati, trainee, bri, kecewa, berapa, engineer, itu, tips, interview, prospek, bekerja, perkebunan, perhutanan, pelajaran, dari, calon, pegawai, chevron, gundah, tambang, non, migas, studi, kasus, comnets, plus, yearly, weekly, video, verses, trip, transport, touring, swimming, standard, sport, sociology, retirement, relationship, race, quote, queue, psychology, property, politics, podcast, pmi, planning, photo, parenting, organization, movie, money, meme, medicine, media, literature, law, islam, isaca, intelligence, infrastructure, graduate, government, food, expense, education, crime, correlation, conference, coffee, chore, certification, calorie, book, art, accounting, 500, 400, 300, tags, 331, uncategorized, 915, society, 962, 749, 463, health, 489, career, 226, categories, cari, untuk, entri, lama, wait, below, nstarting, max, lambda, highest_mountain, args, int, get_mountains, flask_ngrok, tooltip, ngenerating, loaded, tangkuban, perahu, 2084, papandayan, 2665, pangrango, 3019, gede, 2958, ciremai, 892, 108, 406, 3078, quiet, cell, outcome, have, built, functioning, importantly, behind, transformation, stops, being, understandable, also, helps, ask, applied, risks, introduced, decision, tool, transform, raw, intuitive, actionable, reflects, operate, becoming, developer, consume, reporting, depend, improves, technology, separates, two, important, implement, reinforces, displays, receives, formats, automation, there, scalable, controlled, functionality, boundary, tangible, query, visualize, participant, mini, accessible, because, combines, small, experience, geography, most, applications, commerce, yet, feel, remove, abstraction, explaining, slides, alone, scratch, complex, practical, hosts, representing, worldwide, island, senin, module, integrates, demonstration, 40px, difficulty, maintainability, 1995, popular, clarity, concentration, large, maintainable, saas, traditional, enterprise, layered, modular, possible, horizontal, vertical, publicly, often, hidden, fast, slower, heavy, decoupling, loose, tight, managed, side, ajax, update, yes, separation, concerns, primary, philosophy, architectural, separating, responsibilities, updated, loads, multi, dimension, spring, asp, net, rails, typescript, django, ssr, prefer, hoping, teach, please, some, dsiplay, making, help, very, files, spaces, rabu, danger, storming, trek, lake, viewpoint, register, here, panyangcangan, junction, attribution, tilelayer, tile, org, png, topographic, setview, initialize, onclick, simulate, warning, seek, shelter, size, 12px, 666, 4px, cursor, pointer, 2ed573, keyframes, animation, infinite, 5px, ff4757, shadow, 2px, rgba, 220px, 15px, position, absolute, left, 50px, 1000, 100vh, sans, serif, link, rel, stylesheet, meta, viewport, device, initial, scale, doctype, interesting, show, centered, kotlin, next, nuxt, jquery, leafletjs, bogor, areas, alerts, terrain, demonstrations, separate, deployable, units, inter, dependency, eventual, ownership, monitoring, failure, limiting, input, codebase, deployment, wide, backup, recovery, monolithic, menu, process, different, architectures, sabtu, prior, 47363702, site, modal, board, artifacts, c42a5fef, 1e21, 4e1a, a226, 0cc4cc964a77, premium, rounded, corners, soft, shadows, spacing, clutter, smooth, layout, dark, toggle, action, bottom, sheet, everything, purposes, showcase, quality, suitable, presentation, zapp, called, simulates, mainly, visual, progress, scrollable, showing, fully, memory, needed, gist, 8e04b30f77283523d51635eef7dd67be, keyword, dart, 213, brainstorming, which, topic, want, authenticateuser, generatesecuretoken, verifies, logged, returning, vulnerable, leads, vulnerabilities, identified, owasp, enforce, three, minimum, role, resistant, brute, force, comparison, simplistic, issues, always, validate, corresponding, takes, entire, including, passwords, further, than, such, mfa, mechanism, checks, attackers, impersonate, perform, takeover, verification, properly, protect, owns, permission, other, modifying, lead, privacy, breaches, regulatory, violations, whether, authorized, means, oas, infra, ubuntu, x86_64, runtime, container, devcontainer, interfacetechnology, uiendpoints, idswagger, load, parse, readfilesync, would, come, 5000, 7200, endpointthis, provides, serve, resources, started, actual, implemented, teaching, point, info, gateway, servers, paths, successful, their, identifier, schema, integer, documents, behave, author, license, mit, selasa, keep, light, attack, expensive, exists, while, startswith, 0000, proof, output, range, len, validator, detects, automatically, mismatch, recalculate, modify, visually, number, field, __init__, str, completely, hashlibdata, hashing, orm, relational, mapper, orms, allow, developers, objects, queries, row, queryrow, select, migration, credit, burp, suite, advanced, jmeter, third, configure, second, open, execution, steps, execute, connection, stringify, detected, leak, details, holder, displaying, tells, requesting, try, rotten, onions, replace, your, consumer, makes, across, unauthorized, provided, valid, origin, toisostring, sent, siem, splunk, elk, section, 50000, enforces, least, privilege, appears, contain, happens, changed, following, takeaways, reveal, too, much, technical, traces, potential, attacker, interstitials, presents, credentials, handshake, destination, ensure, prevent, man, middle, mitm, front, ensures, callers, pass, records, critical, incident, forensics, follow, standardized, naming, convention, encrypted, masked, balances, export, sheets, implementing, band, retrieves, mytunnelpassword, perimeter, connectivity, creates, local, consumption, talk, starts, supply, shell, eliminate, hurdles, commands, guide, policy, makers, mechanics, networking, financial, protected, python3, needs, handle, easily, was, specifically, spit,
Text of the page (random words):
h m s return f h1 hello ojk h1 p running on b python b p p time now p if __name__ __main__ app run host 0 0 0 0 port 8000 how to run it bash pip install flask python3 server py 3 the node js version server js node js uses express the same one we used for the bank api const express require express const app express app get req res const now new date tolocaletimestring res send h1 hello ojk h1 p running on b node js b p p time now p app listen 8000 console log server running on port 8000 the code javascript const express require express const app express app get req res const now new date tolocaletimestring res send h1 hello ojk h1 p running on b node js b p p time now p app listen 8000 console log server running on port 8000 how to run it bash npm install express node server js written by anjar priandoyo jumat maret 13 2026 at 5 24 am ditulis dalam life tagged with coding bank js client js api workshop leave a comment this guide is designed for it auditors and policy makers to understand the mechanics of api security networking and audit logging by simulating a bank api and a mobile client participants learn how financial data is protected and accessed in a cloud native environment part 1 environment setup commands participants will use a web based terminal google cloud shell or github codespaces to eliminate installation hurdles command purpose auditor s perspective npm install express installs the web framework for the api understanding the software supply chain and dependencies node bank js starts the core banking api server simulating the internal production environment npm install axios installs the http client library for the app understanding how apps talk to external services node client js runs the mobile banking application simulating user interaction and api consumption npx localtunnel port 8080 creates a public url for the local server understanding connectivity and perimeter security curl https loca lt mytunnelpassword retrieves the tunnel bypass password ip implementing out of band authentication export to sheets part 2 the core banking api bank js this file represents the back end system it holds the source of truth account balances code breakdown const accounts a mock database in an audit we verify if data at rest is encrypted or masked app get api balance userid the endpoint the userid is a dynamic parameter auditors check if these endpoints follow a standardized naming convention console log audit this is audit logging it records who accessed what and when this is critical for post incident forensics if incomingkey valid_api_key this is authentication it ensures only callers with the shared secret can pass part 3 the mobile client client js this file represents the front end application mobile app code breakdown const bank_api_url the target destination in a production audit we ensure this uses https to prevent man in the middle mitm attacks headers x api key my_key the security handshake the client presents its credentials to the bank bypass tunnel reminder true a custom header used to bypass security interstitials this demonstrates how apis use custom headers for specific routing or security logic catch error error handling auditors check if error messages reveal too much technical information e g stack traces to a potential attacker part 4 key audit takeaways during the workshop participants should observe the following access control what happens if my_key is changed response 403 forbidden data integrity if we change the balance in bank js does the client see it immediately observability observe the bank js terminal every time the client runs a new audit log appears does this log contain the requester s ip least privilege does the api send back only what is necessary name balance or does it expose internal database ids code file 1 bank js the core system this script acts as the server it holds the sensitive data and enforces access control javascript const express require express const app express const port 8080 app use express json the shared secret for authentication const valid_api_key audit workshop secret 2026 mock database source of truth const accounts user123 name mr anjar priandoyo balance 50000 currency usd security and data endpoint app get api balance userid req res const incomingkey req headers x api key audit logging section in a real audit these logs are sent to a siem like splunk or elk console log audit new date toisostring request for id req params userid console log audit origin ip req ip console log audit api key provided incomingkey valid_api_key valid invalid access control check if incomingkey valid_api_key return res status 403 json error unauthorized invalid api key const userdata accounts req params userid if userdata res json userdata else res status 404 json error user not found app listen port console log bank api active on port port file 2 client js the mobile app this script acts as the consumer it makes the network call across the tunnel to fetch data javascript const axios require axios replace this with your current localtunnel url const bank_api_url https rotten onions sleep loca lt const my_key audit workshop secret 2026 async function checkbankbalance id try console log mobile app requesting balance for id const response await axios get bank_api_url api balance id headers x api key my_key bypass header tells localtunnel this is a script not a browser bypass tunnel reminder true const result response data displaying the result to the user console log console log mobile banking app console log console log account holder result name console log current balance result balance result currency console log catch error error handling auditors check if error messages leak sensitive server details console error error detected if error response console error status code error response status console error message json stringify error response data else console error connection message error message execute the call checkbankbalance user123 workshop execution steps start the bank in the first terminal run node bank js open the tunnel in a second terminal run npx localtunnel port 8080 configure the app copy the url from the tunnel and paste it into client js run the app in a third terminal run node client js postman interactive api testing curl command line api calls burp suite advanced security testing jmeter performance testing bank api payment api account api credit api fintech integration api written by anjar priandoyo jumat maret 13 2026 at 4 42 am ditulis dalam life tagged with coding payment migration leave a comment gorm db where email email first user native sql row db queryrow select id name email from users where email email gorm is an orm object relational mapper for go orms allow developers to interact with databases using programming objects instead of sql queries written by anjar priandoyo kamis maret 12 2026 at 9 28 am ditulis dalam science tagged with coding blockchain workshop leave a comment step 1 demonstrate hashing first concept auditors must understand hash digital fingerprint example python code import hashlibdata transfer 10 btc from alice to bob hash_result hashlib sha256 data encode hexdigest print transaction data print hash hash_result then change the transaction transfer 100 btc from alice to bob hash changes completely this demonstrates integrity control step 2 create a block then build a block structure class block def __init__ self index data previous_hash self index index self data data self previous_hash previous_hash self hash self calculate_hash def calculate_hash self import hashlib block_string str self index self data self previous_hash return hashlib sha256 block_string encode hexdigest explain to auditors a block contains field purpose index block number data transactions previous hash chain integrity hash block fingerprint step 3 create blockchain genesis block 0 genesis block 0 block1 block 1 alice pays bob 10 genesis hash block2 block 2 bob pays charlie 5 block1 hash print block1 hash print block2 hash explain visually block 0 block 1 block 2 step 4 tampering demo powerful for auditors now modify the transaction alice pays bob 100 recalculate result block1 hash changes block2 previous_hash mismatch explain blockchain detects tampering automatically this is the audit insight step 5 chain validation create a validator def validate_chain blocks for i in range 1 len blocks current blocks i previous blocks i 1 if current previous_hash previous hash return false return true auditors run validate_chain chain output true false step 6 optional proof of work demo simple mining demo while not hash startswith 0000 explain why mining exists why attack is expensive but keep it light for auditors written by anjar priandoyo selasa maret 10 2026 at 5 07 pm ditulis dalam science tagged with coding api workshop code leave a comment 1️⃣ package json this defines the project configuration and dependencies name api workshop version 1 0 0 description simple openapi express api for it auditor workshop main server js scripts start node server js author api workshop license mit dependencies express 4 18 2 swagger ui express 4 6 3 participants run npm install npm start 2️⃣ openapi json this file is the api contract it documents how the api should behave openapi 3 0 0 info title customer api version 1 0 0 description example api used in an openapi and api gateway workshop for it auditors servers url description current server paths customers get summary retrieve list of customers description returns a list of all customers stored in the system responses 200 description successful response with list of customers customers id get summary retrieve a specific customer description returns information about a customer using their id parameters name id in path description customer identifier required true schema type integer responses 200 description customer information returned 404 description customer not found key teaching point openapi defines what the api should do not how it is implemented 3️⃣ server js this file contains the actual api implementation api workshop server this server demonstrates 1 simple rest api 2 openapi documentation 3 swagger ui testing interfacetechnology stack node js express swagger uiendpoints get customers get customers idswagger documentation get docs const express require express const swaggerui require swagger ui express const fs require fs const app express const port 3000 load openapi specification const openapi json parse fs readfilesync openapi json sample data in real systems this would come from a database const customers id 1 name alice balance 5000 id 2 name bob balance 3000 id 3 name charlie balance 7200 swagger ui endpointthis provides interactive api documentation app use docs swaggerui serve swaggerui setup openapi home page app get req res res send h2 api workshop server h2 p this server demonstrates a simple openapi express api p h3 available resources h3 ul li a href docs swagger api documentation a li li a href customers customer api a li ul endpoint get all customers app get customers req res res json customers endpoint get customer by id app get customers id req res const id parseint req params id const customer customers find c c id id if customer return res status 404 json error customer not found res json customer start server app listen port console log console log api workshop server started console log console log server url http localhost port console log swagger docs http localhost port docs infra os ubuntu 22 04 architecture x86_64 runtime node js 18 20 container docker based devcontainer stack node js express js swagger ui openapi specification oas file package json project configuration dependencies openapi json api contract server js api implementation logic secure coding concept security issue what it means risk from governance perspective example in demo code what is missing secure coding principle broken object level authorization bola the system does not verify whether a user is authorized to access a specific object or record users may access other users data by modifying ids in requests this can lead to privacy breaches and regulatory violations endpoint get users id in server js the code returns a user based only on the id parameter missing authorization check to verify the requester owns the object or has permission to access it broken authentication the system does not properly verify or protect user identity during login or session management attackers can impersonate users perform account takeover or access systems without proper identity verification endpoint post login in server js the login mechanism simply checks username and password and returns a predictable token missing secure authentication mechanisms such as strong tokens session validation mfa and login protection excessive data exposure the api returns more data than necessary for the client application sensitive information e g passwords internal data may be exposed and used for further attacks endpoint get users in server js the api returns the entire user object including sensitive fields missing data filtering data minimization the api should only return necessary fields where participants can see this in the code 1️⃣ bola example in the demo code app get users id req res const id parseint req params id const user users find u u id id res json user what the code does takes the id from the request returns the corresponding user what it does not do verify that the requester is allowed to access that user secure coding principle always validate authorization at the object level 2️⃣ broken authentication example in the login endpoint app post login req res const username password req body const user users find u u username username u password password const token token user id res json token issues password comparison is simplistic token is predictable no session security no brute force protection secure coding principle authentication mechanisms must be strong secure and resistant to attacks 3️⃣ excessive data exposure example in the endpoint app get users req res res json users this returns id username password role balance but a real application should only return something like id username secure coding principle only expose minimum necessary data to the client secure apis must enforce three core controls control security question authentication who are you authorization what are you allowed to access data protection what information should you see weak implementation of these controls leads to common vulnerabilities identified by the owasp security issue before vulnerable code secure code concept what the secure version does broken object level authorization bola javascript napp get users id req res n const user users find u u id req params id n res json user n n authorization check the secure version verifies the logged in user is allowed to access that record before returning it secure version javascript napp ge...
|