Collaborate Disseminate
I am working on a data processing task in an enterprise environment with Python3 installed on a client-side Windows Jump server.
The data, which I need to download regularly from a third-party provider, is accessed via a REST API.
The busi… Continue reading Log REST API calls in the most auditable way
I read that book websockets are slower than api request if rate of request is Slow. This got me thinking about difference in their overhead, I couldn’t find the actual overhead for websocket, so I am asking question.
In my new team, we use the API of our internal clients, whose request calls and responses contain names of our accounts with the client – for example: dingobiscuits.vodafone.com/data/fetch-something
And some error messages read detailed co… Continue reading API – exposing implementation names, and other details
I have a problem deciding what is the most secure method to send a login request with a username and password strings, I understood that PATCH is less secure than PUT while both are less secure than POST, would it be more sensible then to … Continue reading PATCH request on a login attempt
I am trying to write an automated test that runs on all exposed APIs on a server and checks each endpoint for vulnerabilities.
The problem is the server I am testing always has new APIs exposed, so I want my test to automatically detect ne… Continue reading Can Burp detect new REST APIs exposed on a server
It’s sometimes convenient to generate ids client-side in a typical CRUD app.
The main benefit is for optimistic updates: you can update your client state with the right id without waiting for the response.
Examples:
The id is used in some… Continue reading What security issues could occur when generating ids on the client?
I have a web app that collects user SSN and driver license number. A POST API via HTTPS send the data to the server. Can I use plain text to transfer the data? Is it safe enough? Is it in accordance with the laws in the US?
Continue reading Can I send confidential information in plain text via an HTTPS POST method?
There is the OWASP Top 10 which is the most known one: https://owasp.org/www-project-top-ten/
And there is the OWASP Top 10 API: https://owasp.org/www-project-api-security/
Both lists are very similar, so I am confused why there are 2 list… Continue reading What is the difference between OWASP Top 10 and OWASP Top 10 API
I’ve recently had a conversation with a colleague (in a new job for me) around access to client’s servers which are deployed in their premises.
They have said that allowing ssh access to those servers is something that any CISO would run f… Continue reading Leaving SSH access to deployed on prem server — why is this bad?
As the title says, I want to create a RESTful API (stateless) that will access Google API endpoints. First I want to authenticate the user and then use that token provided by Google to access Google Calendar API.
This is the current flow o… Continue reading RESTful API with Google API and OAuth2