rest – Page 3 – WindowsTechs.com

How do you call REST API resource unintentional field modifying?

Posted on June 20, 2022 by Venomed

Today I stumbled on a potential vulnerability where I could change my profile rank. I’m pretty sure that should not be allowed for regular users.
Let’s say, for example; I got an account profile endpoint:
https://example.com/api/account/pr… Continue reading How do you call REST API resource unintentional field modifying?→

Path traversal in REST style URLs?

Posted on June 4, 2022 by Charlie

Can path traversal vulnerabilities occur in REST style URLs?
For example: https://x.com/filename/img.jpeg
https://x.com/filename/../../../../../etc/passwd

Does this make sense ?

Continue reading Path traversal in REST style URLs?→

REST API behind proxy, is TLS sufficient?

Posted on May 12, 2022 by Frederik

I have the following problem:
A service provides a REST API. Different kinds of clients (desktop applications, mobile applications, web applications) connect to this API and send and receive data. In front of the REST API is a web server (… Continue reading REST API behind proxy, is TLS sufficient?→

Why REST APIs that do not use RSA encryption to secure API keys?

Posted on April 21, 2022 by jojupiter

After using many APIs, I noticed that most of them offer 2 keys: API Key and Secret Key.
The secret key is used to sign the request body with HASHAGE algorithm, the most used is HMAC SHA256. This technique is used by financial platforms li… Continue reading Why REST APIs that do not use RSA encryption to secure API keys?→

use md5 hashed guid as app login and REST interface

Posted on April 18, 2022 by theking2

We are planning to use a md5 hash of a user guid to confirm access to a GET, POST, PUSH, DELETE rest – api. All communication is over a secured https channel. The REST api is programmed to resist XSS and obviously injection problems (but p… Continue reading use md5 hashed guid as app login and REST interface→

DNS spoofing an API? [duplicate]

Posted on March 30, 2022 by bbartling

Could someone DNS spoof REST API communication between a client device POST to a server URL running a XML-based API on HTTPS?
If a man-in-the-middle for client device(s) POSTing to the server on a scheduled frequency where all REST API com… Continue reading DNS spoofing an API? [duplicate]→

Security Practices for a React App – Node.js – Notion REST API Pipeline

Posted on February 21, 2022 by dingus_user

I’ve been thinking about security practices for a personal project where I would create content on a Notion account and have a Node.js middleware server that’ll act as a REST API that allows anybody to access that Notion content while prot… Continue reading Security Practices for a React App – Node.js – Notion REST API Pipeline→

Impact of setting allowUrlEncodedPercent to true in StrictHttpFirewall

Posted on January 17, 2022 by R. Aubel

I need to implement a public REST API that manipulates usernames.
So I have an endpoint that looks like GET http://…/api/users/<username> where username can contain special characters (slashes, percents…) that are URL encoded (e…. Continue reading Impact of setting allowUrlEncodedPercent to true in StrictHttpFirewall→

Impact of setting allowUrlEncodedPercent to true in StrictHttpFirewall

Posted on January 17, 2022 by R. Aubel

CSRF and XSS Protection with a Static Site and REST API

Posted on January 16, 2022 by Naftuli Kay

I’m building an application which will support both browser and application access to REST resources.

Applications will POST a username/password JSON body to a login endpoint which will return a signed JWT token in the response body. This… Continue reading CSRF and XSS Protection with a Static Site and REST API→