Consider a simple resource like products of web application. If someone gets hold of access token and the resource id they can easily delete a resource. How can we protect such attacks.
What are the things that need to be considered while deleting a resource through api
117 Views Asked by arya.s At
1
There are 1 best solutions below
Related Questions in SECURITY
- Can MVC.NET prevent SQL-injection at razor or controller level?
- Forgotten password reset page: should the user need to enter a username/email as well?
- Dynamic roles list in CustomAuthorize ASP MVC
- Access roles from multiple applications
- How to Fix TLS CBC Incorrect Padding Abuse Vulnerability on Windows 2003 Server
- Evernote Web Clipper and Content Security Policy
- Invalidate user credentials when password changes
- Spring Boot MVC non-role based security
- Correct Captcha behaviour on error
- Is macro more secure than static const if I don't want someone to know or change the hardcode value?
- In Android, ensuring only pre-decided users can only use the app
- Authenticating plain text passwords against md5 hash in DB using Apache Shiro
- Symfony2 - handle HTTP/Entity user access restrictions
- Client side computation without exposing code?
- searchable row level encryption using java?
Related Questions in WEB-APPLICATIONS
- Azure Web App PATH Variable Modification
- How To Update a Web Application In Azure and Keep The App Up the whole time
- Developing a search and tag heavy website
- How do you include a HTML file in c
- Is it recommended to use Node.js for an online room booking web application?
- programmatically uninstall other application without asking user
- Fail to locate j_spring_security_check in Spring Security
- Configuring Web Applications for iOS
- Change Javascript Variables Using <input>
- how do you use angularJs to produce a functioning webapp?
- NoClassDefFound error in web application deployed on Tomcat
- Replying to a request in ruby on rails (Server side)
- Exclude one role in web.xml
- LDAP connection only works on localhost
- Displaying statistics collected by Moskito-central
Related Questions in CLIENT-SIDE-ATTACKS
- Javascript store client-side password across pages in memory
- Avoid remote website inclusion
- Client side securing token vulnerability circular dilemma
- How to prevent hackers from modifying the product price in e-commerce
- How to abuse XSS with specific criteria or filters?
- Making a Chrome plug-in of Suricata/Snort for intrusion detection on client side
- How to prevent "billion laughs" DoS attack in Python's xlrd?
- How to trigger xss with html encoded xss attack vector inside script tags?
- What are the things that need to be considered while deleting a resource through api
- XSS PoC: Hide Rendered Characters in DOM
- Does somebody knows about this: repo1.criticalnumeric.tech
- Ways to secure API that do not require authentication, to be called only from one pre-defined consumer
- Why a well anti flood protection for my website redirects in strange cases?
- Cross site attack warning each time I open Firefox
- How to protect AJAX or javascript web application
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
For regular users, you shouldn’t grant delete privileges on tables such as products. This should be restricted to admin users.
If your admin account needs to delete products over an API then yes if an access token is disclosed then your products are vulnerable to deletion. Best defences are
Have a look at OAuth2 access tokens.