I have a Padrino/Sinatra project with a POST declaration for handling a critical task:
post :deletewidget
# widget ID is POSTed from page and is stored in params[:widgetid]
Widget.get(params[:widgetid]).destroy!
end
Works fine when the data is POSTed to the endpoint https://myapp.com/deletewidget with the variable widgetid set within the headers or within a form field. Padrino handles any potential CORS issues of people trying to post from anywhere outside of my app.
However, it doesn't stop a bad actor within my app POSTing and using a third party tool to modify the called URL to add a query parameter to override the ID, i.e.:
POST https://myapp.com/deletewidget?widgetid=12345
Is there any way to detect and possibly strip out query parameters to protect against nefarious actors from trying the above? Or perhaps giving the FORM field parameters higher priority over query parameters?
