

Your API Authentication is insecure, and we'll tell you why - homakov
http://sakurity.com/blog/2015/03/04/hybrid_api_auth.html

======
noapiforyou
Oh, man...

I work at a "startup" where all the AJAX requests, even the ones that write to
the database, are completely unauthenticated. Everything is PHP files in the
webroot, which means of course they're one malicious POST away from losing the
whole house of cards.

I happen to be writing an API right now on my own time so I can literally drop
it on the server and try to get them on board with it and convince them it
isn't black magic. Now hopefully it won't suck quite as badly.

------
smt88
This is an irritating title. My API authentication certainly is not vulnerable
to known CSRF attacks, and implying that the article was about some
new/unknown/complex vulnerability made me click it.

The title would more aptly be: "One way to avoid a basic CSRF vulnerability"

~~~
homakov
I demonstrated high profile websites who get it wrong and explained what leads
to this bug. It's not "new/unknown" but "complex" \- probably yes. Also I
explained the best way to solve this issue

