Highest Voted 'url' Questions - IT Security Stack Exchange

132

votes

10 answers

Should I contact the manufacturer if their product allows access to other users' location information?

I recently purchased a satellite communicator that allows me to send a map of my location to friends and family while I'm hiking in the wilderness. While testing out my product, I noticed that the url was constructed as…

asked Jan 09 '17 at 21:18

Lil' Bits

1,153
2
8
9

127

votes

4 answers

Is it safe to include an API key in a request's URL?

Lately I've seen plenty of APIs designed like this: curl "https://api.somewebsite.com/v1/something&key=YOUR-API-KEY" Isn't it elementary that passing an API key in a query string as a part of the URL is not secure at least in HTTP.

tls http url

asked Mar 30 '16 at 08:34

Incerteza

2,177
3
15
22

102

votes

5 answers

Can I safely preview a short link?

There are a lot of different URL shorteners out there, like Bitly or TinyURL. Besides their main purpose of shortening a link, they also: obfuscate the actual URL collect statistics about the usage of the short link From the obfuscation, at least…

url-redirection url obfuscation

asked Sep 22 '21 at 06:55

stackprotector

1,621
3
6
15

93

votes

8 answers

Can secret GET requests be brute forced?

Say, I have on my server a page or folder which I want to be secret. example.com/fdsafdsafdsfdsfdsafdrewrew.html or example.com/fdsafdsafdsfdsfdsafdrewrewaa34532543432/admin/index.html If the secret part of the path is quite long, can I assume…

brute-force url physical-access path-injection

asked Jun 19 '18 at 04:57

Kargari

911
1
6
5

86

votes

8 answers

What attacks are made possible by public release of my web history?

Assume that my Internet history is made public (accidentally or on purpose). And this release is over 24 hours since the visits were made. Also, assume that there aren't embarrassing sites on there: there isn't any blackmail potential. (My most…

web-browser url

asked Dec 11 '18 at 19:42

Joe

823
1
6
9

62

votes

3 answers

Security risks of fetching user-supplied URLs

We are considering to add the following feature to our web application (an online product database, if it matters): Instead of uploading an image, the user can provide the (self-hosted) URL of an image. We store the URL instead of the image. So…

web-application appsec vulnerability url

asked Apr 25 '20 at 09:48

Heinzi

2,914
2
21
25

51

votes

6 answers

Should a bank/financial service use external URL shortener services?

Say there is a bank/financial service that wants to have hyperlinks on their secure website/domain (or even in emails they send out to customers). In some of these links there are some long/obscure URLs which link to one of their subdomains, but the…

man-in-the-middle phishing url

asked Apr 15 '20 at 09:25

hPNJ7MHTyg

627
1
4
5

49

votes

1 answer

In SQL injections why do they put "-- -" at the end of the URL?

I understand when they put a + at the end, URL treats it like a space. I want to know what -- - does. I do know what the "double dash" does. Including the double dash with a "space at the end". I specifically want to know what a dash-dash-space-dash…

web-application sql-injection url

asked Mar 31 '20 at 12:08

Linux Newbie

635
1
5
7

36

votes

3 answers

Is HTTPS URL in plain text at first connection?

Let’s say I have never connected to the site example.com. If this site is https and I write https://example.com/supersecretpage will the URL be sent in clear text since it's the first time I connect to the site and therefore the crypto keys were not…

tls http url

asked Mar 15 '16 at 20:50

user104545

385
1
3
4

32

votes

5 answers

Is there any security benefit from emailing a "secure link"?

Sometimes I receive email messages from organisations I'm involved with saying something like: Alice at AnyCo has sent you a secure message Along with a link to access said message. Sometimes I'm then asked to create an account. The last one even…

email url email-attachments

asked Jun 10 '22 at 06:59

James Bradbury

2,017
19
27

29

votes

3 answers

Generating one time URLs which can be revoked

I have a requirement to generate a one time use URL which should have the following features: As the URL query parameters may contain sensitive information, it should be encrypted (on top of https encryption). Once used, the URL cannot be used…

encryption rest url

asked Apr 05 '18 at 02:30

Rao Nagaraj

393
1
3
6

26

votes

4 answers

Could receiving a URL link, not clicking on it, ever pose a security problem?

Could receiving in a text or an email, a URL link just like https://security.stackexchange.com/questions/ask of a website, which could be a pernicious one, ever pose a security problem at all? What I am asking is that: if I receive such a link but…

url

asked Feb 07 '21 at 01:47

Hans

371
3
6

23

votes

3 answers

Browser is accepting italic/bold Unicode as part of SPAM email's URL

This is truly crazy. I received a SPAM email in which there is a URL crafted from apparent Unicode characters that surprisingly exist for italic/bold letters, which when I reported it to Google's spam collector using Thunderbird's Report Spam Email…

phishing spam url unicode

asked Aug 09 '21 at 15:16

asker13

341
2
6

23

votes

3 answers

What's a "safe" URL shortening algorithm?

The situation: Currently, we are sending out emails and SMS to our users, which include a link to a form that each user has to fill out on a regular basis (an "eDiary"). As we need to be able to authenticate and authorize the user accordingly, we…

hash url

asked Oct 01 '20 at 11:46

BenSower

357
2
6

22

votes

2 answers

Can javascript execution from address bar cause any harm to client's machine?

Given the fact that modern browsers these days prohibit JavaScript from having access to any resources on the client's machine, does JavaScript execution from the address bar pose any threat at all to the client's machine (the machine the browser is…

web-browser javascript url

asked Mar 29 '16 at 09:44

gurvinder372

823
2
8
9

Questions tagged [url]