In this meeting, the State Changers discussed security measures related to the usage of authentication tokens in a particular system. They examined a potential issue where an authenticated user, with a specific token-associated ID, can access information not belonging to them simply by changing the ID. A solution proposed involved implementing role-based access and making sure on the backend that the user requesting data has the right to access it.
The State Changers also discussed the importance of validating the user at every stage and returning an 'unauthorized' code in case the user tries to access data they shouldn't be allowed to. They also touched upon the concept of "IDOR" (Insecure Direct Object References) where a flaw in the access control can give authenticated users access to unauthorized data. The group recommended using OWASP standards as a guideline and debunked the idea of obscuring URLs as it does not enhance security fundamentally. They advised performing precondition checks on the back-end to ensure security. As the meeting proceeded, the group discussed the significance of front-end notifications when unauthorised access is attempted and the need for the precondition measures to be implemented in the system to prevent the code from executing when unauthenticated access is detected. The meeting ended with emphasized importance on thinking from an attacker's perspective while ensuring the security of their system and taking steps to anticipate potential security breaches.
(Source: Office Hours 1/6 )
