In my web application, I have a backend that provides the APIs and a frontend application that consumes them.
As per OWASP application security verification standard:
The application will only process business logic flows in sequential step order, with all steps being processed in realistic human time
Since we are using backend APIs for submitting the data from the frontend application, how can we ensure it's processed only in realistic human time?
If it's a single application maybe we can check the time difference between rendering and submitting the form, since we are using APIs not sure how we can check this.
Let's assume following. We have a three step process. The steps are following:
We want to make sure that no one triggers step 2 before step 1 and that he did not trigger step 2 milliseconds after doing step 1.
If we are statefull (because we use e.g. server session to store data), than the solution is easy. Let us store in the session that the last step the user did was step 1 and include the timestamp. When doing step 2 we validate the data stored in the session before.
If we want to be stateless, then we can move the information, that the user did step 1 with some timestamp to the client, but sign it with some message authentication code (MAC). Here we will face the obvious flaw, that the user can try to reuse such data and fabricate many calls to step 2 doing step 1 only once. To fix this we would need to go deeper and include some hard-to-guess transaction IDs we are able to validate too. This would make the whole solution kind of problem specific.