Collaborate Disseminate
I am doing a research on an app which has some secret ID. I see that the source code of the app has the secret ID hardcoded inside and the API to request for the access token has just this Secret ID as its query parameter. So ideally it is… Continue reading What is the significance of an app leaking its access token – knowingly/unknowingly with just read access
I don’t have formal CS education but i’ve written one or 2 little websites. I have troubles communicating even in my native language but i hope this is understandable.
With simple i mean something like we have a single server to authentica… Continue reading What would be the most complete procedure to get a simple login system working securely?
I’m facing a similar situation where I need to store users’ access tokens, but I’m not sure how to securely store them in the server.
I’ve only ever used a security manager for my tokens, and salt hashing passwords but I need to decrypt th… Continue reading When apps like CI/CD require your github access token, how do they store it securely?
while fuzzing a public APK file for a bug bounty I came across a file awsconfiguration.json with some pretty promising data. However after reading here https://docs.aws.amazon.com/pdfs/appsync/latest/APIReference/appsync-api.pdf#Welcome a… Continue reading AWS AppSync awsconfiguration.json file found in prod apk, is it a security issue and how to verify api key
So I wrote the following logic for my web app:
When a user interacts with the website it initiates a Backend call. In the backend every endpoint has multiple middlewares, of which there is a JWT verification step, if it succeeds it goes to… Continue reading Is there any danger in refreshing JWT tokens directly without a refresh token?
I have just created a GitHub repository for my answers to the Project Euler questions/puzzles and within seconds of uploading it publicly a user created a fork of my repository called "dawn-token-grabber-1228".
I reported it to G… Continue reading Suspicious fork of my GitHub repository [closed]
When doing local development, I have to export a token needed for downloading dependencies from a private repository. For example:
export NPM_TOKEN=token_value
I want to make sure that this token is not stored in the shell history (that’s… Continue reading Securely loading private tokens on a local machine
I am using Oauth1 to connect to NetSuite Restlet API for multiple customers.
To do so I make use of these values to authenticate and sign the request
API URL (unique per customer)
Realm (unique per customer)
ConsumerToken (64 char hexade… Continue reading OAuth1 tokens: Is consumerToken and ConsumerSecret considered a secret value
Are there any advantages to using SSH keys vs. a PAT when interacting with a site like Github?
Github claims SSH keys are a way to not have to enter your username + password (personal access token) with every interaction, however, my Keych… Continue reading PAT vs. SSH – Why Bother with SSH?
I’m asking myself what are the benefits of refresh token over saving the user password (securely) on user device and perform a transparent login (background) with its credentials to get a fresh new access token?
Note: you would have to “id… Continue reading Auto-login (password stored on device) vs refresh token