Warning about API and web form exploits
Posted: Sun Aug 23, 2015 1:58 pm
A situation came up recently from a customer who was seeing unauthorized "set balance" records in his event log. Without publicly giving up too much detail, the source of the exploit came from their own web site that accepted user input, which was used to pass parameters to an API call. If you have similar code on your own site, make sure you are scrubbing those user inputs for parameter injection.