OWASP API Security Top 10 2019 Checklist

general > broken-object-level-authorization-use-guids

---

Guidance

Use random and unpredictable values as GUIDs for records’ IDs.

You must define string patterns using the following characters: "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?

amp;quot;.

Message

Parameter '{{core.name}}' must use exactly this pattern: '^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?

#39; as scheme.

All ID's should follow that pattern.

Examples

valid

queryParameters:
  organizationid:
    displayName: OrganizationID
    type: string
    pattern: ^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$
    example: 301b960b-6b0b-40ef-a635-ada6b13f13c8

invalid

queryParameters:
  organizationid:
    displayName: OrganizationID
    type: string
    example: 301b960b

Applies to Parameter

Constraint

Type: Declarative Validation