rest – Page 5 – WindowsTechs.com

OWASP Pentest – "Sensitive data sent in clear text" [closed]

Posted on October 6, 2021 by PeS

We have our web app / REST API getting tested by potential customer. In the report they came up with this issue:

Sensitive data like user credentials on login page, password reset,
change password etc. are sent in clear text format. If se… Continue reading OWASP Pentest – "Sensitive data sent in clear text" [closed]→

Do I need to authenticate a user on WhatsApp when using twilio?

Posted on September 15, 2021 by chaulap

We are building an online shop using django. We have developed an API for our application to interact with Twilio. This is so users can buy products on WhatsApp from our application. I want to know what could go wrong with this setup.
When… Continue reading Do I need to authenticate a user on WhatsApp when using twilio?→

Is REST endpoint with HTTPS not enough to avoid sniffing attacks? [closed]

Posted on September 9, 2021 by Durgendra

My Endpoint is accompanied by HTTPS but if I post user credentials via this endpoint, how is it vulnerable to sniffing attacks? Is endpoint with HTTPS not enough or some other implementations are also required?
If I POST user credential vi… Continue reading Is REST endpoint with HTTPS not enough to avoid sniffing attacks? [closed]→

Is masking JWT custom claims a good practice?

Posted on August 31, 2021 by Felipe Emerim

We use JWT tokens in our Rest API(Bank API) authentication with a normal payload like:
{
"user_id": "cdda338f-50e2-4e14-9f84-33b8a158db9f",
"tenant_id": "cdda338f-50e2-4e14-9f84-33b8a158db9e",
… Continue reading Is masking JWT custom claims a good practice?→

How to authenticate OAuth2 confidential client is making a REST call?

Posted on July 21, 2021 by Matthew McPeak

We are looking to implement some REST services to be called from partner servers (not end users via a browser).
The out-of-the-box implementation seems to flow thusly:

Partner server passes a client id and client secret to our OAuth serve… Continue reading How to authenticate OAuth2 confidential client is making a REST call?→

Can one send data securely to a REST API endpoint

Posted on July 21, 2021 by run_the_race

Say I have an endpoint to create a username:

https://example.com/api/create_user/foo/1234/ or
https://example.com/api/create_user/?name=foo&token=1234

Where username = foo and the api token is 1234:
Surely since foo and 1234 is encod… Continue reading Can one send data securely to a REST API endpoint→

Basic authentication after mTLS?

Posted on June 17, 2021 by Errol Neal

I work for a software company and I’m currently doing research for an enhancement request. Essentially we have a application client which talks to a rest end point which is authenticated using basic authentication over SSL. A client is re… Continue reading Basic authentication after mTLS?→

REST App with Hydra

Posted on June 8, 2021 by Wilhelm

I tried making a Hydra attack against a rest application locally. However I find it difficult adding the headers (especially the cookie) to the command.
The request that shows on browser is as it follows:
POST /rest/user/login HTTP/1.1
Hos… Continue reading REST App with Hydra→

REST API with OAuth-Authorization running in different domains

Posted on June 3, 2021 by Beltway

We are attempting to set up authentication for a Web-API (build on .NET Core) that is being hosted on different domains, mostly within the the respective intranets. Currently relying on Windows Authentication, an alternative/fallback solut… Continue reading REST API with OAuth-Authorization running in different domains→

Access Control for REST APIs – OWASP recommendation

Posted on May 14, 2021 by Eduardo Bueno

OWASP states:

Non-public REST services must perform access control at each API
endpoint. Web services in monolithic applications implement this by
means of user authentication, authorisation logic and session
management. This has several … Continue reading Access Control for REST APIs – OWASP recommendation→