0

One dev at the company I work is developing an API and the response for all the requests are basically the same.

However, for example, if you request a login and your credentials are wrong the response gives you:

{
'foo':[],
'var':[],
'msg':'credentials error'
}

But if the credentials are correct, the response gives you:

{
'foo':[
'stuff1':1,
'stuff2':2,
'stuff3':3
],
'var':[
'var1':1,
'var2':2,
'var3':3
],
'msg':'logged in!'
}

Is that correct? I mean, does that compromises security?

Comments
  • 0
    As in giving away foo and var?
  • 1
    If the user failed to authenticate then the API shouldn't expose foo and/or bar. I don't know what foo and bar are, but IMHO non-authenticated users should not receive a JSON structure. What about leaving the body empty and answer with a 401?
  • 0
    @coookie exactly, I mean... The API is revealing some information (variable names) to unauthorized users
  • 0
    I don't know JavaScript. But if the variable names are exposed, is it a problem?

    Does the security rely on them being kept secret?

    #STO
  • 1
    @spl0 Exposing vars may or may not lead to a security issue but not exposing makes sure it doesn't lead to anywhere
Add Comment