Tim Bond
Cascadia PHP - October 24, 2024
'Automating' comes from the roots 'auto-' meaning 'self-', and 'mating', meaning 'screwing'.
Image credit: XKCD "Automation", licensed Creative Commons Attribution-NonCommercial 2.5
[security researcher Anand] Prakash could view and modify the network traffic going in and out of the app. That meant he could replace his phone number registered with the app with the phone number of another app user, and access their recordings on his phone."
GET http://api.example.com/items
POST http://api.example.com/analytics
PUT http://api.example.com/scan/498044355635
POST http://api.example.com/analytics
GET /items
[
{
"title": "Bleach",
"upc": 0498044355635
},
// more items
]
PUT /scan/nnn
{
"user_id": 1234,
"latitude": 41.9972705,
"longitude": -87.8834467
}
/user/123
/users
/docs
or /swagger.json
/user/123
/user/124
// GET /api/users/{id}
public function getUser(string $id) {
return $this->database->getUser($id);
}
public function getUser(string $id) {
$info = $this->database->getUser($id);
if($this->currentUser->isAdmin()) {
return new AdminUserResponse($info);
} elseif($this->currentUser->id == $info->id) {
return new UserResponse($info);
} else {
return new OtherUserResponse($info);
//or throw new HttpNotAuthorizedException();
}
}
Auth
Server
Search API
Map
API
👈 No access to Purchase API
GET /users/123
API_KEY = NWTPk4
APP_ID = wQrDfM
GET /users/123
API_KEY = NWTPk4
APP_ID = wQrDfM
HMAC = APvNwF
🔒
Bonus: the API can returned signed URLs
Example: concatenate:
API
Shared secret
Unauthenticated request
Secret token
API call ✅
Dynamic
Integrity
Check
API 1
API
Gateway
Authorization request
Auth token
App Auth request
App token
OAuth 2 service
App auth service
API calls
Registered
app info
Registered
user info
API 2
API 3
Key 3
Key 1
Key 2
<?php
$crawler = $client->get('https://www.example.com/log-in');
$crawler->filter('#email')->sendKeys('tim.bond');
$crawler->filter('#password')->sendKeys('test123');
$crawler->filter('#log-in')->click();
$client->waitForStaleness('#log-in');
$client->waitFor('#price')->filter('#price')->getText();