Hi all!
Ive found a security hole in my own application that is solved right now ,but I want to know your thoughts about the best way to validate the URL.
For example:
http://localhost:8080/clients/1/buildings/29/floors/9
If we take a look, we see we are asking for the floor 9 in the building 29 of the client 1. In my case, all floors have an ID and a foreign key to buildings, and buildings have an ID and a foreign key to clients.To seach a floor i just need the floor ID and if we only validate the client ID (1) a malicious user with access to client 2 may access floor 9 asking
http://localhost:8080/clients2/buildings/29/floors/9
It's just a demo, but i hope i wrote it well so everybody understand it.
My question here is, the ddbb design is bad, wich way you think will be better to validate the URL?
Thanks,
Jordi
_________________________________________________________________