Time  Nick      Message
23:34 fumanchu_ man, gzip could use an overhaul. null-terminated header strings, using EOF to detect the footer. ick.
23:19 whartung  yea, their point is to prevent fishing by not publishing keys.
23:18 asdf`     instead, it mentions primary and foreign keys (???)
23:18 whartung  has nothing to do with the stack. Contextual data access is a Hard Problem. Whatever help a stack may offer, doesn't really solve the problem.
23:18 asdf`     no, i get what they meant, it's just, it's written VERY badly; it doesn't even mention authorization
23:17 asdf`     depends on the stack you're using, of course
23:16 whartung  mostly because it's a real pain to implement :) lol
23:16 whartung  this is something folks may not think about.
23:16 whartung  rather than what you can do with the data.
23:16 whartung  since it's mostly based on the old page model
23:15 whartung  99.9% of web security is URL based (can't they access teh endpoint at ALL)
23:15 whartung  this is context based security, rather than access based security
23:15 whartung  so the point is that you need to validate your data and check your rights.
23:15 whartung  if you have payload (since it doesn't matter if it's a url or a payload, really), that says "xfer from acct 1234 to acct 4567" what's to stop it from being "from acct 1234 to acct 9876", and truth is probably nothing. However, "xfer from acct 3333 to 4567", that should likely be disallowed, since odds are the user has not rights to transfer from 3333, but just 1234.
23:13 whartung  the account xfer is a particularly good one.
23:13 whartung  that if the URL is "all you need", then "anything can happen".
23:13 whartung  bsasically they'r esuggesting
23:13 whartung  it's kind of interesting.
23:12 asdf`     i'm not sure how either of these conclusions follow from the urls?
23:12 asdf`     err, about this part: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet#Insecure_direct_object_references
23:11 whartung  That's not really what it means at all...
23:11 whartung  "Many web services are written to be as stateless as possible. This usually ends up with a state blob being sent as part of the transaction."
23:10 whartung  funny: RESTful web services should use session-based authentication, either by establishing a session token via a POST or by using an API key as a POST body argument or as a cookie.
23:09 whartung  don't even get me started on encrypting stored data.
23:08 pdurbin   I'm hearing good things about https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
22:23 spaceone  yep, okay
22:23 fumanchu  see section 3.3 (or Appendix A) of https://www.ietf.org/rfc/rfc3986.txt
22:23 fumanchu  pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"
22:22 fumanchu  the http URI scheme uses path-abempty for path segments, which consist of "segment" productions, which are composed of pchars
22:19 whartung  ^^
22:19 fumanchu  as long as it's escaped, it's valid
22:15 spaceone  or is it restricted to the quoted chars of ":/?#[]@!$&'()*+,;=" plus A-Za-z0-9
22:13 spaceone  ?
22:13 spaceone  is it valid to have %0A (== \n) in the path of the HTTP request URI? → GET /foo%0Abar/ HTTP/1.1