DEV Community

loading...

Discussion on: RESTful Security: Plug the Leaks!

Collapse
jonerer profile image
Jon Mårdsjö

Not to say this is not important, but there is more to it if you want to plug the informational leaks in a serious way.

Using the same example as in the OP, let's say example.com/api/accounts/300 and 301 both return the same HTTP code. Another thing to think about then is timing -- let's say an attacker can do a thousand requests for each of the accounts.

If they find that on average accounts 301, 302 and 304 take 10ms, but 300, 303 and 305 take 8.5ms -- then they have found that there's a difference. Perhaps the backend code is written so that if you find that the account exists, you do a credentials check; but if the account doesn't exist you skip the credentials check. Then an attacker can still know whether the account exists or not, given the timings.

Collapse
jonerer profile image
Jon Mårdsjö

Btw this is also the reason why checking an auth token with == is not a valid practice -- you have to use a "time-secure" comparison