APIs Security for publicly exposed APis for Website/App

We have a website using PWA Client calls / Mobile APP, all using the same APIs. We have APIs Exposed to Public. Currently, our APIs are not secure meaning that anyone can check APIs signature via developer tools/proxy tools and hit the API.

We want our APIs to be hit by verified clients. Verified clients do not mean logged in clients. Our website can be used by non-logged in users as well. Clients here mean users accessing the website via browsers/app.

So for that, we are planning that we will allow those APIs only which have the registered/enabled token and that will be sent via header.

Now to generate the token:

  1. Device —- sends Token(B) Request—-> Server
  2. Server generates Token(B) and returns it and stores it in Redis
  3. Device —- sends Token(B) to enable request—–> Server
  4. The server enables it
  5. The device sends Token(B) in all subsequent requests
  6. The server checks whether the token exists in Redis in the enabled state or not

Since these register/enable token APIs are also exposed publicly, to ensure no one is able to hack this process:

  • While enabling the token, we also send the Encrypted token(A) alone with the actual token(B).
  • At the server, we decrypt the token(A) and matches it with the normal Token(B).

Encryption is done using the private key known to client/Server only.

Is this the right approach and this is vulnerable? The only issue is seen is that register/enable token APIs are exposed publically. But we have also added the security to that, is that good enough?

Client side password hashing with exposed salt word – did I find a breach?

I downloaded a software that has a login interface. It’s a $ 100 a month subscription software.

I disassembled the software and found that passwords are being sent by combining them with a hard coded “salt” that everyone can see in the source code (is it really “salt” if it’s the same for everyone?), encrypting them with MD5 and sending the hash to the server.

I hope that the passwords are encrypted again on the server side with unique salts to every user, but even if they do, isn’t this a breach? Can’t an attacker sniff the passwords easily, or do a send-the-hash attack?

OAuth authorization code grant with exposed client secret

Let’s assume that a client has the client secret exposed somewhere. What are the risks that the client and its users are exposed to? Are those the same as having implemented the implicit flow from the begin with?

I would say that, the risk here is for an attacker stealing a code, and since the client secret is available, assuming no other form of client authentication is performed, then the attacker would be able to exchange the code to token. So it looks like it’s similar with the risks of implicit flow, but a bit more secure since by default the tokens are not exposed in the user-agent (implicit flow could use for example response_mode=form_post and avoid that scenario)

Simple and Universal way to password-protect existing webservices that are exposed to internet

There are many tools, devices and programs that by default run a http server and expose a user interface on port 80. Even my coffee machine has a web ui that it provides on port 80.

Now, it’s easy to make these existing webservers available through the internet by simply doing port-forwarding on the internet facing NAT.

I want to do this, but I want to password protect access to them in a simple, generic and secure way.

On simple way would be to just NOT expose them and access them only through a VPN connection. Currently I’m doing this – but I want to be able to access the services without a vpn tunnel from anywhere in the web.

So, let’s say I have three http services in my Lan that I locally can access on

CoffeeMachine:80 MyLightSwitch:80 ToiletFlush:80 

Now I want to be able to access them over the internet by going to

http://mystaticIP/coffeemachine http://mystaticIP/lightswitch http://mystaticIP/toilet 

But for all of them, I want that they are ONLY accessible after some form of user-password authentication.

I don’t need individual users/passwords for the different servers. Can be all the same.

What’s an easy but yet secure way to expose all these three services to the internet, without having to tamper with the http servers on these devices themselves? (by secure I mean that without knowing the password it won’t create a trivial security hole. I don’t worry about man-in-the-middle attacks or so).

Tools I have available to solve this:

  • Adding an additional server running any linux distro/services to the local network
  • Set portforwarding on my NAT

How does AI Robot detect a target behind a wall, but the target has part exposed?

Like a FPS game, a target’s whole body is behind a wall or box, but its finger or foot exposed, and the AI can detect it and shoot its finger?

In my opinon, just traverse all targets, find who is near a wall, and compare its position with the corner of wall, but I don’t know how to check if its finger is exposed?

Or use raycast from AI’s gun to front, but you need add collider to all targets’ every small part?

Threema: Are received messages exposed, when sender’s private key gets compromised?

Note: This question is specific to the Threema Messenger, and relates to their implementation of encryption (using the NaCl ECDH implementation as per their docs).

I refer specifically to their “note on outgoing messages” in their validation document on their website:

It may seem strange that outgoing messages can be decrypted by entering the sender’s private key and the recipient’s public key, i.e. without knowing the recipient’s private key. …

Now, consider this scenario:

  • Alice has received a message from Bob, while Eve records/intercepts traffic as person-in-the-middle on the way to Alice.
  • Alice’s public key of course is public, but Alice never disclosed the private key.
  • Eve somehow gets the private key of Bob.

With Bob’s key and the traffic, could Eve now decrypt all content Bob has ever sent to Alice?

In other words, with Threema, is the privacy of received content dependent on the safety of the private key of the SENDER?

Risk/CVSS of exposed web admin portal to the internet

more of a philosophical question, suppose there is one behavior which allows an attacker to do something with high impact but by itself cannot be used to cause that impact. For example, internet accessible admin portal which even though still requires authentication, it doesn’t have IP whitelist nor 2FA.

Suppose that using the admin portal, an attacker can upload a shell and compromise the whole server.

Would you classify just having relaxed controls on the admin portal authentication as vulnerability?

If yes, what would you say just would you say is the CVSS score?

The risk? I guess here, the impact is high but the likelihood would be in relation to how easy is for someone to acquire valid credentials, which in most cases should be very low)

I would say it’s not vulnerability since one needs valid credentials to actually be able to use the portal. But i hear people having a lot of different opinions so i would like to see some other people’s thoughts.

It’s similar to having a gun (admin portal) without bullets (credentials). It’s only dangerous if you somehow manage to get bullets.

Code Change That Resulted in Database Fields and Values Exposed

At my company, we have a new development team that has been completely rewriting all of the code for different parts of the system.

I’ve noticed that with one of the recent changes, you can now see the JSON data for all of the fields and values for each field that exist in our database for that particular section of an account where a user is logged in. You can do so simply by using Developer Tools in Chrome.

Is this a bad idea from an information security perspective? Why or why not?

Disclaimer: I am not part of any development team, but would like to make others aware so that this can be dealt with appropriately if it is a security concern.

Is 2FA via mobile phone still a good idea when phones are the most exposed device?

Everyone knows that two factors are better than one. My problem is that often the only second factor allowed is text messages to your mobile phone. This creates two concerns:

1) I travel frequently overseas and lose access to 2FA accounts any time the associated SIM card can’t touch a network.

2) Your phone is inherently your least secured device. I install way more software and download way more files on my phone than anywhere else with much less ability to verify sources or control access. For example, nearly every app requests sweeping permissions to function correctly. Even apps that aren’t granted explicit permissions have been found to backdoor those permissions through google services.

I feel like linking my phone to sensitive accounts (such as banking) would actually make them more exposed to attack and more difficult to maintain legitimate access.