cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
PabloRoldan
Helper I
Helper I

How to secure Dataverse/CDS request

I'm using a CDS/ dataverse connector to get a table and it retrieves records like this (this is the http traffic)

PabloRoldan_0-1632430934282.png

but I can view and edit the HTTP traffic  and I can retrieve other entities (resent the request). is it a vulnerability? is there a way to encrypt the payload, the same happen if I update a record the payload is sent plain with PATCH method and with the fields to be update but I can change the values or adding other fields by modifying the http request beacuse are send plain and i can modify them. is there a blog how a paper any url to help me figure out how to secure that? thanks

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
poweractivate
Community Champion
Community Champion

@PabloRoldan I don't think there is any problem here. By the way even from your screenshot did you notice also the requests are all HTTPS and not HTTP? Only reason you can even see them is because the Dev Inspector shows you them by default but if you were to check with network packet inspector you cannot even see anything unless again you set it to decrypt on your side only (which only you the client can do). 

 

There is not any vulnerability here because if you have access to the data source you can make those edits by the API. If you did not have access (e..g. Security Role) it would not permit it on the server side enforcement. So I do not see what is the problem here exactly?

 

 

View solution in original post

2 REPLIES 2
poweractivate
Community Champion
Community Champion

@PabloRoldan I don't think there is any problem here. By the way even from your screenshot did you notice also the requests are all HTTPS and not HTTP? Only reason you can even see them is because the Dev Inspector shows you them by default but if you were to check with network packet inspector you cannot even see anything unless again you set it to decrypt on your side only (which only you the client can do). 

 

There is not any vulnerability here because if you have access to the data source you can make those edits by the API. If you did not have access (e..g. Security Role) it would not permit it on the server side enforcement. So I do not see what is the problem here exactly?

 

 

View solution in original post

@poweractivate, Thank you for your time, I thougth anyone could track the http traffict and as the requests are sent with a token generated by the API connector that, you can easily  edit those request and change values, deletes, get other tables, like in this case using the Microsoft Dataverse API directly.

Helpful resources

Announcements
UG GA Amplification 768x460.png

Launching new user group features

Learn how to create your own user groups today!

Microsoft Ignite 768x460.png

Find your focus

Explore the latest tools,training sessions,technical expertise, networking and more.

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

Welcome Super Users.jpg

Super User Season 2

Congratulations, the new Super User Season 2 for 2021 has started!

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

Users online (1,476)