Hi,
Is not an issue w.r.t. authorization based on the the principle that
is authenticated?
And/Or do different clients have different sets of buildings?
I guess you can tell from my questions that i do not really understand
your example,
Paul.
On Nov 4, 2009, at 3:35 PM, Jordi Domingo wrote:
> Hi all!
>
> Ive found a security hole in my own application that is solved right
> now ,but I want to know your thoughts about the best way to validate
> the URL.
>
> For example:
>
> http://localhost:8080/clients/1/buildings/29/floors/9
>
> If we take a look, we see we are asking for the floor 9 in the
> building 29 of the client 1. In my case, all floors have an ID and a
> foreign key to buildings, and buildings have an ID and a foreign key
> to clients.
> To seach a floor i just need the floor ID and if we only validate
> the client ID (1) a malicious user with access to client 2 may
> access floor 9 asking
>
> http://localhost:8080/clients2/buildings/29/floors/9
>
>
> It's just a demo, but i hope i wrote it well so everybody understand
> it.
>
> My question here is, the ddbb design is bad, wich way you think will
> be better to validate the URL?
>
> Thanks,
>
> Jordi
>
> Date una vuelta por Sietes y conoce el pueblo de los expertos en
> Windows 7