Questions tagged [api]
Application Programming Interface; a set of routines, protocols, tools or endpoints used in software development.
543 questions
0
votes
0
answers
55
views
Issues consuming HTTP FastAPI from HTTPS-embedded widget (frontend fetch)
How can I make a frontend widget on HTTPS communicate with an HTTP FastAPI backend without CORS or mixed content issues?
I'm building a chatbot widget that's embedded into a website served over HTTPS. ...
0
votes
1
answer
124
views
When not to use Authorization Code Grant?
Why would an OAuth implementation choose to use the Authorization Code Grant -- when it means that the access tokens are leaked to a third party?
I've been using API keys for a package on my server to ...
- 1,166
0
votes
0
answers
113
views
How to assess poor OAuth security implementations?
What questions should I ask to determine if a given OAuth implementation is secure?
I've been using a wordpress plugin for payments that authenticates with the payment gateway with an API key. I like ...
- 1,166
0
votes
2
answers
222
views
Is there a way to limit web server access by domain?
Currently, there is no way to use the OpenAI API (ChatGPT) from the frontend without exposing your secret key.
I wonder if there is a way to solve this. My thinking is: I would create a web server ...
- 101
2
votes
0
answers
74
views
Can SELinux restrict who can call a specific TEE UUID
I'm investigating how to control access to an API a TEE application presents.
I believe I can use SELinux to control which kernel modules can access the client TEE library, but I need finer-grain ...
- 141
2
votes
1
answer
100
views
Risks associated with client writes to queue
For higher API request volumes, some APIs will offer some form of batch API requests (e.g. 1, 2). These allow for one HTTP(S) call to send many effective requests, freeing up network resources and ...
- 173
0
votes
1
answer
141
views
What is the purpose of Yubico API client ID?
Yubico PAM module requires one to specify the id(API client ID) parameter obtained from Yubico API key signup page. For example:
auth sufficient pam_yubico.so id=1234 authfile=/etc/yubikey_mappings ...
- 441
1
vote
1
answer
215
views
Web Server API returns Hacked webpage when Unity Project makes API call
We currently have a linux/apache/sql webserver that has API access for our app in the meta store(Quest 2 & 3).
when manually type in the address on chrome (desktop computer) I get the proper API ...
- 11
8
votes
1
answer
5k
views
How can I block localhost access from other computers on the same local network?
I have an offline app that serves a localhost server while it is running. Other computers on the same local network can access this server through 192.168.x.xxx
.
I want to block them from accessing ...
- 243
0
votes
1
answer
261
views
Is there an automated way to generate a valid API request from Swagger docs?
I am doing a pentest which includes an API and all I have access to is Swagger UI docs. The Swagger docs don't show me real-world data in the examples, nor do they offer a "try request" ...
- 1,362
1
vote
1
answer
177
views
ReDOS - Vulnerability found, but DOS not possible
I have an API which is protected by AWS Cloudfront. I found a ReDos in one of my API Endpoints. The endpoint looks like this:
https://mywebsite.com/api/myendpoint?apikey=xxxx&namefilter=yyyy
The ...
- 11
0
votes
0
answers
67
views
can non-rotatable secrets be stored in ciphertext form in a DB/file/etc.?
We have a service running on AWS. This service uses secrets such as API keys of third party services (in other words: secrets which do not rotate automatically). These secrets are stored in AWS ...
- 101
0
votes
1
answer
512
views
Using mTLS for API access control and authentication
my question is about using mTLS for API access control and authentication.
I understand in mTLS, both the server and client (making the API request) will verify each other's identity. This allows the ...
- 3
1
vote
1
answer
86
views
Encrypted ids to break inter-service dependencies
Let say I have “transactions” and “users” services managing transactions and users data respectively. Transaction record only has sender user id, but on display I want to show sender’s email. I also ...
- 113
0
votes
2
answers
383
views
Which tool to use to automate REST API pentest
I want to run an automated REST API pentest, and I want to integrate my test into CI/CD pipeline. Note: I have the openapi specification of the APIs that I want to test.
My automated test will be ...
- 559