Questions tagged [url]

223 questions
132
votes
10 answers

Should I contact the manufacturer if their product allows access to other users' location information?

I recently purchased a satellite communicator that allows me to send a map of my location to friends and family while I'm hiking in the wilderness. While testing out my product, I noticed that the url was constructed as…
Lil' Bits
  • 1,153
  • 2
  • 8
  • 9
127
votes
4 answers

Is it safe to include an API key in a request's URL?

Lately I've seen plenty of APIs designed like this: curl "https://api.somewebsite.com/v1/something&key=YOUR-API-KEY" Isn't it elementary that passing an API key in a query string as a part of the URL is not secure at least in HTTP.
Incerteza
  • 2,177
  • 3
  • 15
  • 22
102
votes
5 answers

Can I safely preview a short link?

There are a lot of different URL shorteners out there, like Bitly or TinyURL. Besides their main purpose of shortening a link, they also: obfuscate the actual URL collect statistics about the usage of the short link From the obfuscation, at least…
stackprotector
  • 1,621
  • 3
  • 6
  • 15
93
votes
8 answers

Can secret GET requests be brute forced?

Say, I have on my server a page or folder which I want to be secret. example.com/fdsafdsafdsfdsfdsafdrewrew.html or example.com/fdsafdsafdsfdsfdsafdrewrewaa34532543432/admin/index.html If the secret part of the path is quite long, can I assume…
Kargari
  • 911
  • 1
  • 6
  • 5
86
votes
8 answers

What attacks are made possible by public release of my web history?

Assume that my Internet history is made public (accidentally or on purpose). And this release is over 24 hours since the visits were made. Also, assume that there aren't embarrassing sites on there: there isn't any blackmail potential. (My most…
Joe
  • 823
  • 1
  • 6
  • 9
62
votes
3 answers

Security risks of fetching user-supplied URLs

We are considering to add the following feature to our web application (an online product database, if it matters): Instead of uploading an image, the user can provide the (self-hosted) URL of an image. We store the URL instead of the image. So…
Heinzi
  • 2,914
  • 2
  • 21
  • 25
51
votes
6 answers

Should a bank/financial service use external URL shortener services?

Say there is a bank/financial service that wants to have hyperlinks on their secure website/domain (or even in emails they send out to customers). In some of these links there are some long/obscure URLs which link to one of their subdomains, but the…
hPNJ7MHTyg
  • 627
  • 1
  • 4
  • 5
49
votes
1 answer

In SQL injections why do they put "-- -" at the end of the URL?

I understand when they put a + at the end, URL treats it like a space. I want to know what -- - does. I do know what the "double dash" does. Including the double dash with a "space at the end". I specifically want to know what a dash-dash-space-dash…
Linux Newbie
  • 635
  • 1
  • 5
  • 7
36
votes
3 answers

Is HTTPS URL in plain text at first connection?

Let’s say I have never connected to the site example.com. If this site is https and I write https://example.com/supersecretpage will the URL be sent in clear text since it's the first time I connect to the site and therefore the crypto keys were not…
user104545
  • 385
  • 1
  • 3
  • 4
32
votes
5 answers

Is there any security benefit from emailing a "secure link"?

Sometimes I receive email messages from organisations I'm involved with saying something like: Alice at AnyCo has sent you a secure message Along with a link to access said message. Sometimes I'm then asked to create an account. The last one even…
James Bradbury
  • 2,017
  • 19
  • 27
29
votes
3 answers

Generating one time URLs which can be revoked

I have a requirement to generate a one time use URL which should have the following features: As the URL query parameters may contain sensitive information, it should be encrypted (on top of https encryption). Once used, the URL cannot be used…
Rao Nagaraj
  • 393
  • 1
  • 3
  • 6
26
votes
4 answers

Could receiving a URL link, not clicking on it, ever pose a security problem?

Could receiving in a text or an email, a URL link just like https://security.stackexchange.com/questions/ask of a website, which could be a pernicious one, ever pose a security problem at all? What I am asking is that: if I receive such a link but…
Hans
  • 371
  • 3
  • 6
23
votes
3 answers

Browser is accepting italic/bold Unicode as part of SPAM email's URL

This is truly crazy. I received a SPAM email in which there is a URL crafted from apparent Unicode characters that surprisingly exist for italic/bold letters, which when I reported it to Google's spam collector using Thunderbird's Report Spam Email…
asker13
  • 341
  • 2
  • 6
23
votes
3 answers

What's a "safe" URL shortening algorithm?

The situation: Currently, we are sending out emails and SMS to our users, which include a link to a form that each user has to fill out on a regular basis (an "eDiary"). As we need to be able to authenticate and authorize the user accordingly, we…
BenSower
  • 357
  • 2
  • 6
22
votes
2 answers

Can javascript execution from address bar cause any harm to client's machine?

Given the fact that modern browsers these days prohibit JavaScript from having access to any resources on the client's machine, does JavaScript execution from the address bar pose any threat at all to the client's machine (the machine the browser is…
gurvinder372
  • 823
  • 2
  • 8
  • 9
1
2 3
14 15