cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
PabloRoldan
Helper I
Helper I

How to secure Dataverse/CDS request

I'm using a CDS/ dataverse connector to get a table and it retrieves records like this (this is the http traffic)

PabloRoldan_0-1632430934282.png

but I can view and edit the HTTP traffic  and I can retrieve other entities (resent the request). is it a vulnerability? is there a way to encrypt the payload, the same happen if I update a record the payload is sent plain with PATCH method and with the fields to be update but I can change the values or adding other fields by modifying the http request beacuse are send plain and i can modify them. is there a blog how a paper any url to help me figure out how to secure that? thanks

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
poweractivate
Community Champion
Community Champion

@PabloRoldan I don't think there is any problem here. By the way even from your screenshot did you notice also the requests are all HTTPS and not HTTP? Only reason you can even see them is because the Dev Inspector shows you them by default but if you were to check with network packet inspector you cannot even see anything unless again you set it to decrypt on your side only (which only you the client can do). 

 

There is not any vulnerability here because if you have access to the data source you can make those edits by the API. If you did not have access (e..g. Security Role) it would not permit it on the server side enforcement. So I do not see what is the problem here exactly?

 

 

View solution in original post

2 REPLIES 2
poweractivate
Community Champion
Community Champion

@PabloRoldan I don't think there is any problem here. By the way even from your screenshot did you notice also the requests are all HTTPS and not HTTP? Only reason you can even see them is because the Dev Inspector shows you them by default but if you were to check with network packet inspector you cannot even see anything unless again you set it to decrypt on your side only (which only you the client can do). 

 

There is not any vulnerability here because if you have access to the data source you can make those edits by the API. If you did not have access (e..g. Security Role) it would not permit it on the server side enforcement. So I do not see what is the problem here exactly?

 

 

View solution in original post

@poweractivate, Thank you for your time, I thougth anyone could track the http traffict and as the requests are sent with a token generated by the API connector that, you can easily  edit those request and change values, deletes, get other tables, like in this case using the Microsoft Dataverse API directly.

Helpful resources

Announcements
UG GA Amplification 768x460.png

Launching new user group features

Learn how to create your own user groups today!

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

M365 768x460.jpg

Microsoft 365 Collaboration Conference | December 7–9, 2021

Join us, in-person, December 7–9 in Las Vegas, for the largest gathering of the Microsoft community in the world.

Top Solution Authors
Top Kudoed Authors
Users online (2,048)