I know this is not source code problem. But maybe this place is the only one I'm thinking bout.
I got mail from some hacker maybe that he got the list of API that exist in my webpage.
He use BurpSuite to get the traffic of the web process. But somehow he get the API that used in the web.
Now I'm trying to intercept my own web. But It's only show the outer process, such as list of controllers and function. But how to show the list of API also. He can show the token and also the endpoint of the API. Is there any setting to do first?
Related
I want to refactor some back-end code. This code communicates with a front-end app, where the front-end app calls a bunch of APIs. I wish to trim the responses provided by the back-end. For this purpose, I want to know what properties does the front-end actually require. So, I want to know where an API endpoint is called on the front-end. Is there any tool which can solve this problem? A tool, to which I give the input my front-end application, it outputs me on what webpage it is calling a particular endpoint. Please note that this is the reverse of doing Ctrl+Shift+I, where I would want to know what endpoint is being called on a particular webpage. What this question is asking instead is, that I do not know the webpage which calls a particular endpoint, can you tell me how to find the webpage, given that I know everything about the API endpoint?
Loopback has nice documentation which you can view at
http://<your-domain>:<your-port>/explorer
I want to write some tests for our server, and at the very least do a GET request for each of the endpoints that should be public and available over REST.
Loopback explorer clearly has this information somewhere - is there a way to get a list of endpoints programmatically?
I just want something like this list:
PATCH /ServicecontractViews
GET /ServicecontractViews
PUT /ServicecontractViews
POST /ServicecontractViews
PATCH /ServicecontractViews/{id}
GET /ServicecontractViews/{id}
HEAD /ServicecontractViews/{id}
GET /Notes/{id}
HEAD /Notes/{id}
PUT /Notes/{id}
DELETE /Notes/{id}
GET /Notes/{id}/exists
is it possible to get this information programmatically (while the server is live)?
The LoopBack explorer uses Swagger JSON to generate the UI you see.
If you watch the XHR requests using your browser debugger, you can grab the direct URL to the raw Swagger. This data should contain what you need, though not in quite as concise a format as you probably want.
I'm trying to create a script to generate Spotify playlists with Node (using the spotify-web-api-node module), and I'm having problems getting authentication. I'm terrible with OAuth, so bear with me through this question.
If I understand correctly, I need to use the authorization code flow to get an access token, and to do it that way, I would need to visit a webpage to get the code. So my question is, is there any way to get the code without having to actually visit the webpage?
I tried using request to see if it would show a redirect, but it just shows me a website from Spotify. If I have to manually allow access to an account the first time, that's fine. I'm just trying to have to take away as much repetition as I can. Also, I'm trying to have this be specific to one account, if it could make a difference.
I'm making a REST backend for private use of our frontend, they will both be in the same server.
The problem is that I'm worried about security issues, I don't want a attacker to use the API directly, either by JS or by using other REST client.
Lets take this service as an example
http://myserver:8080/something/webresources/film
That's a service that allows to GET, PUT, POST, DELETE I want that only the frontend be able to use it, otherwise since anyone can see client-code it would be easy to get the endpoint and start putting or getting data. I do have BASIC AUTH so they would have to register and if they did something wrong I would be able to see who did it, but that doesn't solve the problem.
I could implement access control so that a user only could get/update/delete their own movies, but I would have to do that for every REST service(I have over 100 by now), plus I might need to actually get others movies
This is my first public project, I am really lost.
You can do it through your web server. I'm using Nginx. I have an if statement that checks the $http_referer. If it returns nothing, or the value returned is not my application/frontend page (meaning someone is trying to hit the api directly), it'll return a 403 forbidden page.
If your application doesn't send out emails to your users don't worry about the following: I added a block to allow access to my static images as the only exception, as my application sends out emails with images and I don't want them to break.
That's it. Problem solved. No one has access to my api except my frontend page/application, unless they can forge the $http_referer to match my domain which if they can do that then they deserve to break in.
Your only option to call the REST API from server side. You cannot hide from the users what's going on in their browser... You can have a layered application, so the frontend layer can call the backend layer on the server while the client can see only the frontend. (Check the layered system constraint.)
I have a Windows Phone 8 app. My app needs to POST some data to a web page that I have on my server. Please note, I am trying to POST to a web page, not a web service. The reason that I need to POST to a web page is because 1) I'm trying to render some contents in a web page that is currently launched via a WebBrowserTask 2) I am passing a large amount of data to the web page.
From what I can tell, the WebBrowserTask only allows "GET". Now, I'm totally lost in regards to what to do. Is there a was to POST data via a WebBrowserTask? If not, is there a way to serialize my data as JSON and cram it into the query string? I know that's ugly. At the same time, I'm not sure what else to do.
Thank you
Try adding a WebBrowser control then make your request through either WebClient or HttpWebRequest. Once you get the html response use the NavigateToString(string) method to display the result.
But you can simply use the Navigate(uri) method if you only need to specify some query string params.