API Security Vulnerabilities #4
Description
Api.php, located here has multiple vulnerabilities and ways of malicious use.
🔴There's no rate limiting on the API requests. An attacker or malicious user could brute-force tokens or spam requests, causing a Denial of Service.
🟡The API token is extracted from the Authorization header, but there's no protection against interception if HTTPS isn't enforced. If logging is added and it logs $_SERVER, the API token could be exposed.
🟡The validate_api_token function uses a prepared statement to prevail against SQL injection, but if $token wasn't sanitized before reaching it, it could still be manipulated for injection.
🔴API tokens are checked against the DB, but there are no expiration, revocation, or scopes. If an API token leaks, an attacker or malicious user would have full access.
🟡While this is an API Framework, if an admin panel uses the same auth via browser-based requests, it could be vulnerable to CSRF attacks.
🔴The log_usage and validate_license do not sanitize input before using it. If these values are inserted, it could lead to SQL injection. Missing validation for the format of roblox_user_id, license_key, and action could lead to issues like stored cross-site scripting (XSS) or SQL injection attacks.
🟡The error messages the API Framework gives directly reveal if a token is invalid or missing. While helpful for debugging, it could assist an attacker or malicious user confirm the validation of a token, allowing generation of valid tokens.