Security of addOfflineDonation API
Hi,
I was reviewing the API documentation for adding offline donations and I am concerned with how we’d be sending this. The below screenshot indicates an unauthenticated POST request with donor info passed in the URL which is not secure. Sending sensitive data via URL parameters is considered to be a security vulnerability as it increases the exposure of the data (OWASP Resource for reference). The data may end up stored on systems such as proxy servers and other intermediary systems, in which case HTTPS/TLS will not protect it.
Is it possible to send this data via POST Body instead?
Comments
-
Hi @Elizabeth Favre . I saw you were helpful in answering a previous question relating to this API. Would you be able to help us out here? If not, do you know who we can reach out to about this?
0 -
@Chariot Developers
Thanks for reaching out. Let me do some research and I'll get back to you. ?0 -
@Chariot Developers
Thanks again for this great question! I reached out to our amazing Luminate Online dev team and they had some answers for us both.
In the docs, Requires Authentication says No, but in reality authentication is required. This is a server call which requires login and password. It is recommended that permissions be limited via API Administrator accounts.
Regarding the use of personal data in URL calls, I am told that this page includes examples of putting parameters in the body of a message rather than the URL. To be honest, this bit of the feedback was a bit over my head. I need to reread this page a couple more times to really understand it. That might mean I need more coffee or, more likely, that we should make this bit of content more accessible. I am adding a review of this content to our product backlog.
Please let me know if you need more information. And please continue to let us know when the documentation needs to be more clear. That really helps us and the community.0 -
This is exactly what we were looking for (namely the second part about being able to put the query parameters of the API in the request body)! Thank you so much - this is very helpful.
0
Categories
- All Categories
- 6 Blackbaud Community Help
- 213 bbcon®
- 1.4K Blackbaud Altru®
- 400 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 1.1K Blackbaud CRM™ and Blackbaud Internet Solutions™
- 15 donorCentrics®
- 360 Blackbaud eTapestry®
- 2.6K Blackbaud Financial Edge NXT®
- 655 Blackbaud Grantmaking™
- 576 Blackbaud Education Management Solutions for Higher Education
- 3.2K Blackbaud Education Management Solutions for K-12 Schools
- 939 Blackbaud Luminate Online® and Blackbaud TeamRaiser®
- 84 JustGiving® from Blackbaud®
- 6.6K Blackbaud Raiser's Edge NXT®
- 3.7K SKY Developer
- 248 ResearchPoint™
- 119 Blackbaud Tuition Management™
- 165 Organizational Best Practices
- 241 Member Lounge (Just for Fun)
- 34 Blackbaud Community Challenges
- 34 PowerUp Challenges
- 3 (Open) PowerUp Challenge: Chat for Blackbaud AI
- 3 (Closed) PowerUp Challenge: Data Health
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Product Update Briefing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports+
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Email Marketing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Gift Management
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Event Management
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Home Page
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Query
- 790 Community News
- 2.9K Jobs Board
- 53 Blackbaud SKY® Reporting Announcements
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)