API Security Breach  Topic is solved

Discussions relating to the REST API of Jiwa 7.

API Security Breach

Postby neil.interactit » Mon Jan 13, 2020 4:13 pm

Hi guys,

If this is sorted elsewhere, sorry, I haven't been able to locate on the forums.

I have a plugin to action some custom API routes, and am using API key authentication.
To enable this, I first needed to enable the "REST API" plugin, which in turn opened many other routes.
To mitigate this, I have imported "RestPaths" and disallowed everything except the custom routes.

However http://localhost:8080/Logs/Today, which does not require authentication, is still working, and shows the Authorization Bearer (API key) ...
breach.PNG


Is it possible to completely disable all the default routes, while still allowing custom API plugins? Or is there an alternate way to fix this security hole?

Cheers,
Neil
neil.interactit
Frequent Contributor
Frequent Contributor
 
Posts: 156
Joined: Wed Dec 03, 2014 2:36 pm
Topics Solved: 5

Re: API Security Breach  Topic is solved

Postby Mike.Sheen » Mon Jan 13, 2020 4:30 pm

Hi Neil,

You should turn off DebugMode in the System Settings - this will disable the request logging and prevent unwanted information disclosure.

We only intended the DebugMode to be on for testing / development purposes - and making the logs inaccessible unless logged in was making troubleshooting logging in problematic.

We could perhaps make a setting to make the viewing of request logs only if authenticated - that way there is a way to handle all scenarios. I've logged this as improvement DEV-7992.
Mike Sheen
Chief Software Engineer
Jiwa Financials

If I do answer your question to your satisfaction, please mark it as the post solving the topic so others with the same issue can readily identify the solution
User avatar
Mike.Sheen
Jiwa Shihan
Jiwa Shihan
 
Posts: 1674
Joined: Tue Feb 12, 2008 11:12 am
Location: North Sydney
Topics Solved: 522

Re: API Security Breach

Postby neil.interactit » Mon Jan 13, 2020 4:37 pm

Many thanks Mike, will do.
neil.interactit
Frequent Contributor
Frequent Contributor
 
Posts: 156
Joined: Wed Dec 03, 2014 2:36 pm
Topics Solved: 5

Re: API Security Breach

Postby Mike.Sheen » Mon Jan 13, 2020 4:39 pm

neil.interactit wrote:Is it possible to completely disable all the default routes, while still allowing custom API plugins? Or is there an alternate way to fix this security hole?


And to answer this: Yes, this is possible - change the default permission for the user group(s) to have the "Default REST API Permisssion" to be Undefined, and then only add to the REST API paths the routes you want to expose with the permission to be Allow.
Mike Sheen
Chief Software Engineer
Jiwa Financials

If I do answer your question to your satisfaction, please mark it as the post solving the topic so others with the same issue can readily identify the solution
User avatar
Mike.Sheen
Jiwa Shihan
Jiwa Shihan
 
Posts: 1674
Joined: Tue Feb 12, 2008 11:12 am
Location: North Sydney
Topics Solved: 522


Return to REST API

Who is online

Users browsing this forum: No registered users and 1 guest