Prevent API Security Risks

[japananh]

• https://owasp.org/API-Security/editions/2023/en/0x11-t10/
• https://blog.securityevaluators.com/reverse-engineering-bumbles-api-a2a0d39b3a87
• https://www.youtube.com/watch?v=YYe0FdfdgDU

Prevent critical attacks in APIs

1. CORS

Example: https://github.com/japananh/zero-and-one/blob/main/middleware/cors.go

2. DoS (Denial of Service)

package main

import (
	"fmt"
	"log"
	"net/http"
	"time"

	"github.com/gin-gonic/gin"
	"github.com/gin-contrib/limit"
)

func main() {
	r := gin.Default()

	// Apply rate limiting middleware
        // The number depends on server capacity, expected traffic, response time, resource intensity, load testing, failover and scalability, security, monitoring and adjustments.
	r.Use(limit.MaxAllowed(10)) // Limit to 10 requests per second

	r.GET("/api/data", getData)

	r.Run(":8080")
}

func getData(c *gin.Context) {
	// Simulate some work
	time.Sleep(100 * time.Millisecond)

	c.JSON(http.StatusOK, gin.H{"message": "Data retrieved successfully"})
}

3. SQL Injection

4. XSS (Cross-Site Scripting)

To protect against XSS, you should properly escape and sanitize user-generated content before rendering it in your web pages using html/template.

package main

import (
	"html"
	"net/url"
)

func sanitizeInput(input string) string {
	// Sanitize for HTML
	htmlSafe := html.EscapeString(input)

	// Sanitize for URL
	urlSafe := url.QueryEscape(htmlSafe)

	return urlSafe
}

SSRF (Server-Side Request Forgery)