Questions tagged [web-service]

A web service is application that provides a standard means of interoperating between different software applications, running on a variety of platforms and/or frameworks - typically using HTTP or HTTPS as a transport layer for object and request models (SOAP, REST, JSON, etc). The output isn't intended to be directly shown in browser.

A web service is an application that provides services to consumers (web applications, thick clients, other services, mobile apps, etc.). Those services may provide data, perform some calculation or just about anything other than providing a UI. Thus, it will have a clearly-defined API which consists of providing responses to requests made by a remote application.

Don't confuse with web-application. Web application does have GUI intended to be shown in web browser.

357 questions

votes

8 answers

Is it okay for API secret to be stored in plain text or decrypt-able?

Aren't API keys considered usernames and API secrets considered passwords? Why is it that API servers like Amazon Web Services allow you to view your API secret in plain text? It makes me think they store it in plain text or at least in a…

web-application passwords authentication web-service storage

asked Aug 12 '12 at 19:11

IMB

2,888
6
28
42

votes

4 answers

What does the tilde (~) mean at the end of a file extension?

While I was playing some Capture the Flag (CTF), I couldn't solve a challenge because of this tilde ~. I'm playing on www.example.com/index.php but when I added (~) at the end: www.example.com/index.php~ , a file with name index.php started…

web-application web-service

asked Mar 01 '18 at 10:36

ReDa

votes

1 answer

How to implement an API-Key-Mechanism

first of all: I am quite unsure about the title of the question, so if you have a better idea, please feel free to tell (: I would like to know about best-practise examples where services (like Twitter or co) which offer APIs and want you as a…

web-service key-exchange

asked Aug 14 '12 at 23:25

user510083

votes

8 answers

Giving malicious crawlers and scripts a hard time

My webserver has been up for < 25 hours and has already been crawled for various default pages, just to name one /administrator/index.php. I understand that this is very common and it's not really an issue for me, as I have secured the server in a…

webserver vulnerability-scanners web-service honeypot

asked Dec 02 '16 at 08:47

SaAtomic

votes

8 answers

Is there a way to prevent someone from making his own client app for my webservice?

Say I have a RESTful web service and a commercial Android app on the front end which is used to interact with it. I may use SSL so that the endpoints are not visible, but someone could still do some reverse engineering to find them. I could also use…

web-service rest reverse-engineering

asked Mar 21 '17 at 23:00

Ana Mandic

votes

2 answers

How can I prevent that my users get a certificate issued for my domain on my behalf?

I have a domain, where some other users have access to upload files, use email, use XMPP, etc. How can I prevent that these users go to a certificate authority and get a certificate for my domain? Unless the CA requires personal contact, how do…

certificates certificate-authority web-service dns-domain

asked Mar 15 '14 at 03:18

unor

1,769
1
19
38

votes

3 answers

Is exposing exception information in web service a security risk?

It is a known fact that exposing the exception information to the end user provides security risks since an adversary can user that to figure out how things work internally and attack it. But what about a web service, where that information might be…

web-service error-handling exposure

asked Apr 25 '16 at 13:46

Ilya Chernomordik

2,197
1
21
36

votes

3 answers

What precautions should I take when creating users that will be used by applications and not by people?

I have some applications that need to access to a webservices bus. Own applications that access to the bus authenticate using a webservice on that bus but in this case I need that third party applications access some webservices in the bus. These…

authentication web-service oracle ldap

asked Dec 24 '15 at 07:54

Eloy Roldán Paredes

1,507
12
25

votes

2 answers

Why is CSRF protection only applicable to web services with browser clients?

The Spring docs state: Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF…

csrf web-service

asked May 18 '21 at 13:17

hotmeatballsoup

votes

4 answers

What to do when you can’t protect mobile app secret keys?

We have a mobile app for iOS and Android available in the Apple and Google Play stores. The app communicates with our server’s Web Services over HTTPS. We have attackers able to spoof the app traffic. This probably means our attackers are decrypting…

appsec key-management web-service key-exchange secret-sharing

asked Sep 12 '15 at 18:06

Edward Barnard

votes

1 answer

REST specific security weaknesses

I need to start working with RESTfull Web Services. SOAP based web services have already so many standards to secure communication, establish trust etc. I am not aware of any for REST. What I would apreciate is answers to the following…

appsec certificates rest web-service

asked Apr 25 '11 at 09:00

Stefany

1,267
2
10
9

votes

6 answers

Securing an API for mobile access

I've built a nice REST/JSON API that is used by other companies (our clients) as a B2B service. Each of our clients has a username/password pair, and we also do HTTPS and validate the source IP of requests to service. Service usage costs money, and…

authentication mobile web-service rest

asked Jun 17 '12 at 06:14

Tal Weiss

votes

3 answers

Is this bank website secure enough? No https in login page

Today I opened a bank account to invest my savings. Here's the link to the login page: http://www1.directatrading.com/ I noticed it doesn't use Https protocol (neither is that page nor in the landing page where you can buy stocks etc). Moreover your…

passwords http web-service account-security

asked Aug 03 '18 at 16:41

KingBOB

votes

2 answers

What are the security risks when using free Content delivery networks (CDNs)?

I was doing some research on Content Delivery Networks. For those who don't know, a CDN is a large collection of servers that cache and quickly serve up static content such as images, css, js, etc, to end users. CDNs can significantly increase…

web-application risk-management web-service

asked Jul 03 '12 at 20:07

Joe Web

votes

3 answers

Can the Host Header be used to hide the existence of a service?

Imagine a web server running on 93.184.216.34, usually reachable via the public DNS entry example.com. Web servers usually allow the distinction of multiple "virtual" servers, based on the Host header received via the HTTP request. Now imagine the…

web-service

asked Apr 23 '20 at 11:06

user163495

2 3

…

23 24 Next