Authorization 03
This exercise is one of our challenges on Authorisation issues
This lab demonstrates a classic security oversight in modern frameworks like Ruby on Rails. Often, a lot of code is generated automatically, and different formats such as HTML and JSON are made available for the same database records. For instance, while accessing /users/1
may show an HTML page with the first user's details where sensitive information is masked, modifying the URL to get a JSON representation might expose this masked data.
The lab walks you through a source code review of a Rails application, explaining how routes and controllers are set up to handle user data. You'll discover that while the HTML view hides the user's scoring key, the JSON view generated by Rails includes it. This highlights the importance of considering all data representations when securing sensitive information. The lab concludes by offering a simple fix: removing sensitive information from the JSON view.