cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Protect OData API calls from data spoofing from inside by internal user

Go to solution
MikeB
Contributor

on ‎10-02-2018 1:36 PM

A question regarding securitizing OData API calls in the SAPUI5 application.

In the legacy system, once a user successfully passed an authorization, it is possible to send a request with User ID and desired data directly from a client-side to OData API without any additional security check on a server side.

My concern is that any authorized user in the system can behave as a trojan, theoretically spoofing his-own User ID and performing some actions under the name of another user. As mitigation mean, there is an option to encapsulate an OData API from a client-side by introducing a server-side wrapper, which will perform a sender authentication before forwarding request to the OData API.

The question is if there are already some out-of-box approaches in SAP Fiori / SAPUI5 platform to secure the use of OData API, to ensure that the request sender can't fake a User ID and do something in a system under another name.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

RalfHandl
Product and Topic Expert
Product and Topic Expert
‎09-15-2020 10:14 AM

The user id/name/... should be determined server-side based on the provided credentials. That way spoofing is not possible.

Show replies
Show replies

Answers (1)

Answers (1)

RalfHandl
Product and Topic Expert
Product and Topic Expert
‎10-04-2018 12:19 PM

Could you please describe the supposed attack vector in more detail?

Every HTTP request has to carry credentials that pass server-side validation, which include

  • Is this a valid user?
  • Are these valid credentials for this user?
  • Is this user authorized to access this OData API?

Then the request is executed in the context of this user, and with the access rights of this user.

Show replies
Show replies
MikeB
Contributor
‎09-11-2020 2:09 PM
0 Kudos

Suppose, there are two valid users — User A and User B. Both are authorised to have an access to OData API. Now, User A performs authorization, sends a request to OData API. My concerns are that the User A can open Chrome Dev Tools and fake a JSON by spoofing his name to User B prior sending it to OData API.

As the result, OData API will get a JSON, where the user name is not genuine — User B instead of User A.

The question is there any built-in security mechanism in OData API to verify that the data comes from the specific user, which is currently logged-in and appears in JSON, and not from someone else, who just has an access to OData API?

Real world example:
User can leave a comment, where his name and the content body will appear, but it is also possible to fake the value of name field and write the name of someone else instead.

Ask a Question