Collaborate Disseminate
I am architecting a passwordless REST API where public/private keys are the primary form of authentication. In order to create a new session you must prove that you hold the private key to the public key tied to the user.
As… Continue reading Security risks on returning encrypted JSON web token without prior authentication
I tried to consume an API from outside application which implemented CSRF. So I need to pass the CSRF token value to access their API.
1. 1st API – getting CSRF token.
2. 2nd API – POST request, passing the CSRF token. But g… Continue reading Getting 403 forbidden error while using csrf with POST request
I’m looking at the following setup. A web application uses a REST API to communicate with the server. All API responses include Origin: *. For authorization Authorization: Bearer <token> is used. Access-Control-Allow-He… Continue reading Exploitability of allowed wildcard (*) CORS Origins with Bearer Token Authorization
It is generally advised not to make large number of calls to a REST API backend. I am talking in the tune of hundreds of thousands of API calls.
While I understand that the backend these days have guards in place to prevent … Continue reading Making large number of calls to REST APIs
I’m developing REST APIs and would like to know if Basic Authentication will be enough to secure them, or if I should be looking into other authentication methods, like OAuth2. My APIs are setup to only be accessed by a limit… Continue reading REST API Basic Authentication Use Case
I am creating a platform which is based on REST APIs. My platform has apps and web both.
I don’t want to make my APIs public and want that my APIs can be used by my own clients (app and web) only.
I can use the secret key s… Continue reading How to secure apis so that it can be used by my app and web only
All pen testing applications I’ve been able to find so far seems to rely upon “hooking up” to a browser. The problem we have is that our automation tests simulate the browser since it’s only executing REST calls and we peel o… Continue reading Is there a way to perform penetration testing on traffic coming into a specified port?
In my scenario, I have an Android mobile application which calls my back end REST services. I want prevent other application to call my back end REST services.
If I use certificate and shared key as well as obfuscating my app… Continue reading Preventing an unauthorized mobile application from calling REST back end services
I am planning to develop an authentication service which generates and validates the JWT token for incoming requests. What would be the best challenge mechanism which could be employed to generate the JWT token?
Since the re… Continue reading what would be the best approach to generate JWT token for server to server communications?
I have been asked to perform a pentest on a website from a company. I was analyzing the javascript files they were using, and I found a link pointing to:
https://www.googleapis.com/customsearch/v1/siterestrict
I also found … Continue reading Should I report this Google API key disclosure issue or not?