0

I have a question about the API, I am pretty new to API and tried to search the internet about that but I couldn't find an answer for that.

The problem is that as we know the requester can send some data to the database just if he is authorized by a token, okay that's great but what is not great is the data parameters it can be changed if the application is reversed so the hacker can get the source code -> change the parameter to whatever he want -> send back to my server and the server will treat the request normally as he is already authorized by a token BUT with a change in the parameter value.

The dangerous scenario in my mind is as the following:

I have a Winforms Application that the user must buy lets say some coins through it in order to do more staff in the app.

If the application reversed the hacker may still implement the request to the server BUT with changing the purshased amount of coins to infinity ! This is just a scenario to demonstrate the idea of manipulating of parameters.

The ultimate question is how to avoid/protect such case?

Thank you

Hazem samir
  • 1
  • 1
  • Keep the data on the server, not the client. – Klaus Gütter Dec 11 '21 at 09:07
  • You never let a client decide how much "coins" a client has, he authorizes at the server, and the server tells him how much he has. If he buys something with coins, the server checks the coins from the server database (the client doesn't set this). If the server decides you don't have enough coins you get an error. – Charles Dec 11 '21 at 09:07
  • _["You can't. There are steps you can take to make it a little more difficult, but ultimately any executable on the local machine is crackable. Eventually, that code has to be converted into native machine code and every application that is runnable is vulnerable."](https://stackoverflow.com/a/506301/585968)_ –  Dec 11 '21 at 09:08
  • I understand how to protect the "Read" commands but still not able to figure out how to do so with "Post" commands, as the client anyway has to decide how much coins to purchase so it can be send to the server for processing. – Hazem samir Dec 11 '21 at 09:32
  • A "purchase" implies a transaction. One party "requests" something, "pays" with something, and then "receives" something. Let's say 1 "coin" is bought with 10 "rocks". When the client POSTs a request of 5 coins, the server validates that the user has 50 rocks to afford it before allowing the purchase. The client can "hack" the request to 5 million coins, but then the server has to check if they have 50 million rocks to afford it.. – NPras Dec 13 '21 at 00:23

0 Answers0