SharePoint 2019 Rest API Security

Shiva Charan 1 Reputation point
2022-02-23T05:12:46.013+00:00

Hi,

We have SP 2019 application in which we are using REST API for CRUD operations. During application security scan Rest Api parameters are modified in the browser and updated to the list.

Security Recommendations : Server side validation

Is there any way to restrict the manipulation of REST API parameters. any technet article for reference.

Thanks,
Shiva

SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
2,969 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. RaytheonXie_MSFT 35,386 Reputation points Microsoft Vendor
    2022-02-23T08:50:37.277+00:00

    Hi @Shiva Charan ,
    I will recommend you to use SharePoint App-Only to grant access to SharePoint 2019. Here are some nice article and document
    https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
    https://security.stackexchange.com/questions/227560/how-to-secure-rest-api-for-parameter-manipulation
    https://www.netsparker.com/blog/web-security/rest-api-web-service-security/

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



  2. Shiva Charan 1 Reputation point
    2022-03-13T13:17:01.89+00:00

    Hi RaytheonXie,

    Thanks for your reply, I checked the links you provided.
    Our application is intranet SP 2019 application and we are using CEWP for showing the forms and js files for in which all REST API CRUD operations are coded. As part of pen test, security team is capturing submitted values in burp tool and modifying json parameters in tool and sending the request to server.
    So is there any way to restrict them to capture the values or to encrypt the values without effecting the users submitted data.

    Please let me know if there is any solution for this or any links to show this is the behavior of the Rest API in SharePoint JSOM coding.

    Thanks


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.