Open APIs

 View Only

  • 1.  Security consideration on query resources patterns response

    Posted Feb 16, 2022 10:06
    Hi all,
    please forgive me if this is already posted before.

    After reading more detail on TFM630 document, i found that on the querying multiple resources response is JSON array. Considering the possible security vulnerability on it, please see Anatomy of a Subtle JSON Vulnerability
    You've Been Haacked remove preview
    Anatomy of a Subtle JSON Vulnerability
    I recently learned about a very subtle potential security flaw when using JSON. While subtle, it was successfully demonstrated against GMail a while back. The post, JSON is not as safe as people think it is, covers it well, but I thought I'd provide step-by-step coverage to help make it clear how the exploit works.
    View this on You've Been Haacked >


    Would you recommend to wrap the array in a object like:

    {
 "reourceName": [
   {
     "id": "1234",
     ...
   },
   ...
 ]
}

    if so, will this impact the certification result?

    ------------------------------
    Ellyx Christian
    DGIT
    ------------------------------



  • 2.  RE: Security consideration on query resources patterns response

    Posted Feb 17, 2022 04:40
    Hi
    Thanks for bringing this to our attention, clearly security is very important.
    With that, bear in mind that the TMF Open APIs are not expected to be invoked directly from browsers. Rather other backends are more likely.
    Changing the output from an array to have another structure will break existing implementations of APIs.

    ------------------------------
    Jonathan Goldberg
    Amdocs Management Limited
    Any opinions and statements made by me on this forum are purely personal, and do not necessarily reflect the position of the TM Forum or my employer.
    ------------------------------

    Original Message


Related Content