Stream: bulk data
Topic: Security
Grahame Grieve (Apr 07 2022 at 14:21):
I just watched a walk through of a hack on a bulk data interface by Inon Shkedy, one of the authors of the OWASP top ten. Not a FHIR bulk data interface, but one that's somewhat similar
The vulnerability he found involved the interplay between the way the api used Amazon S3 and the way it validated requests. The clear intent of the API developer was that using UUID ids meant they couldn't be hacked... well, no.
I thought that this would be an opportune point to remind people: ensure that you validate every request against the user token, and be very suspicious of providing files through S3 (or any other bucket) and assuming that people can't guess UUIDs and so that's an acceptable level of security
Josh Mandel (Apr 07 2022 at 14:29):
When you say UUIDs, you're not talking about high entropy URLs in general? Interested to understand more here; would be great if you can link to details.
Grahame Grieve (Apr 07 2022 at 15:08):
yes high entropy APIs in general
Grahame Grieve (Apr 07 2022 at 15:08):
it was a presentation made at APISecure. Don't know if it will be published. See https://apisecure.co
Grahame Grieve (Apr 07 2022 at 15:10):
something in the design allowed Inon to find out the id of a file that belonged to another account - that was a design fault, but that really was his point - entropy leaks and bingo
John Moehrke (Apr 07 2022 at 15:43):
I suspect that you will see details of this kind of attack in an upcoming OWASP version. The presenter was one of the OWASP authors, and he indicated a revision is coming.
Last updated: Apr 12 2022 at 19:14 UTC
