rest – Page 11 – WindowsTechs.com

Is this security scheme using passwords, short-lived access JWTs, and long-lived refresh tokens a good way to secure a REST API?

Posted on October 25, 2019 by DylanSp

I’m trying to secure a REST API that I’m using as a backend for a single-page application. The API provides access to read/create/modify/delete protected resources, based on a set of permissions managed by an administrator. What I’m thinki… Continue reading Is this security scheme using passwords, short-lived access JWTs, and long-lived refresh tokens a good way to secure a REST API?→

Windows Account Password Resetting process for large network

Posted on October 22, 2019 by Infra

I am working on large windows based network environment (Active Directory) and I have a requirement of implementing clear and secure password reset process for windows user. Especially management requested to use same process for all appli… Continue reading Windows Account Password Resetting process for large network→

How to protect against injection into a 3rd party REST API?

Posted on October 15, 2019 by Ilya Chernomordik

I have a 3rd party API that I need to connect to and they allow queries that can be formed by changing url parameters.

E.g. /data?startDate=2019-01-01 or /data?name=’John Doe’

It is easy to form these queries by concatenating strings, bu… Continue reading How to protect against injection into a 3rd party REST API?→

Secure Android App Public API

Posted on September 30, 2019 by Tom

I am facing a programming challenge which I do not know how to solve in a most appropriate way.

We are programming an Android App which is using an API we are providing for this purpose.

While the data the api is providin… Continue reading Secure Android App Public API→

XSS in rest base url [on hold]

Posted on September 28, 2019 by Krishna Sharma

I am trying to perform xss in REST style url. Example:

http://example.com/pro/xssinput.

So the part after domain is reflecting inside script tag. URL encoding not worked.

Continue reading XSS in rest base url [on hold]→

Is using an access token for authentication a bad idea

Posted on September 20, 2019 by Anton Litvinov

Is it right that if there is a malicious browser extension allowed to “Read and change all your data on the websites you visit.” on the users’s machine an access token can be potentially leaked no matter how securely you stor… Continue reading Is using an access token for authentication a bad idea→

JWT vs custom encryption for REST APIs over https

Posted on September 11, 2019 by Yuganka Sharan

For our REST API architecture, we are currently thinking over two options –

Json Web Token – pros are that it is industry standard, we pass a key which adds a layer of access control and using which we can also add secondar… Continue reading JWT vs custom encryption for REST APIs over https→

How to protect API that should be accessible to everyone?

Posted on September 6, 2019 by Alexey Vinogradov

I have some API that should be accessible from a very long list of devices (some of them can reach my Oauth2 server and get some token, some of them cannot).

These devices are mobile phones (IOS, Android) and in the future c… Continue reading How to protect API that should be accessible to everyone?→

Security aspect in the API gateway area

Posted on August 28, 2019 by Mornon

I am currently planning security testing procedures within an API gateway. We want to define in advance what we expect to be covered on the security level.

Scanning REST APIs
(see http://docs.w3af.org/en/latest/scan-rest-api… Continue reading Security aspect in the API gateway area→

Does Using Opaque Access Tokens Make My Server Stateful?

Posted on August 23, 2019 by Prashant Pandey

I am trying to understand statelessness in restful APIs in the context of authentication. Here’s the scenario:

The user logs in.
The server verifies the username and the password, and generates an opaque access token. It ca… Continue reading Does Using Opaque Access Tokens Make My Server Stateful?→