IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [web-service]

A web service is application that provides a standard means of interoperating between different software applications, running on a variety of platforms and/or frameworks - typically using HTTP or HTTPS as a transport layer for object and request models (SOAP, REST, JSON, etc). The output isn't intended to be directly shown in browser.

A web service is an application that provides services to consumers (web applications, thick clients, other services, mobile apps, etc.). Those services may provide data, perform some calculation or just about anything other than providing a UI. Thus, it will have a clearly-defined API which consists of providing responses to requests made by a remote application.

Don't confuse with . Web application does have GUI intended to be shown in web browser.

365 questions
14
votes
3 answers

Can the Host Header be used to hide the existence of a service?

Imagine a web server running on 93.184.216.34, usually reachable via the public DNS entry example.com. Web servers usually allow the distinction of multiple "virtual" servers, based on the Host header received via the HTTP request. Now imagine the…
user163495
5
votes
3 answers

web services: how prevent illegal accesses

As suggested by someone I post a question here (for the first time). I'm using web services from an Android application. I use https (I bought a SSL certificate). I want to prevent unwanted accesses from others that know the urls of my web…
Seraphim's host
  • 153
  • 1
  • 5
4
votes
2 answers

Security in large-scale SOAs

Let's assume a service-oriented architecture (SOA) with hundreds of services. The services are completely isolated – what is behind their APIs is an implementation detail. Different services can have different security policies – i.e. who can access…
fhucho
  • 245
  • 3
  • 10
3
votes
4 answers

Tracking a user who has posted abusive messages

A visitor to our site has posted abusive messages and I wish to block them but I'm not sure there's much I can do besides blocking their IP address (and even that won't help much). After analysing the logs, I can see the IP address…
Gerard
  • 141
  • 5
3
votes
2 answers

Is there any way to differentiate between a normal web request and a web service request?

I have a security layer for providing the security of the requests that come to my server. For all web request that come in a login page is shown if cookie is not present. I am now introducing web service requests to this server which also look like…
Sai Pavan
  • 31
  • 2
3
votes
1 answer

SVC service page on production

I am testing web service on production. There is a standard SVC web page available like the example below (another randomly selected webpage, just for example). Is it ok to have this page available on the production environment?
user187205
  • 1,323
  • 3
  • 21
  • 35
2
votes
3 answers

Can an unlisted directory on webserver be discovered?

Assume the following sample directory: - / - /images - /28374728127636438 - /css Directory listing is disabled on the server and the directory named 28374728127636438 never linked anywhere on the actual web page. This directory contains the backend…
DeleteMe
  • 129
  • 3
2
votes
1 answer

Securing REST API that will accessed from different clients

I have developed a REST/JSON API. The API exposes a lot of features. The API will be consumed by applications we design internally (mobile apps and web apps), by applications designed by our resellers and by applications designed by businesses. I am…
Akinkunle Allen
  • 121
  • 2
2
votes
1 answer

What attacks are most likely against SSL/TLS web service sessionid?

I am implementing a web api with which I plan to authorize access by accepting a username and password and system name and returning a sessionid which can be used on subsequent calls to authorize the caller. The api is only available though SSL 3.0…
Thronk
  • 215
  • 3
  • 8
1
vote
2 answers

How to block spammers from using my public email api

I am working on a web application which allows users to share stuff on a web-page by clicking on an 'email to friend' link; similar to what extole is doing here…
taimur
  • 13
  • 1
  • 3
1
vote
1 answer

Is it possible to create secure streaming server

Right now I am thinking for a way to create a secure video streaming server with the following assumption: people can be trusted not to distribute the video they have rights to see. (I think in the first edit of my question I was not able to…
Salvador Dali
  • 1,755
  • 2
  • 19
  • 32
1
vote
2 answers

API - Security design issues

I'm building a GUI Desktop application that will communicate with an API(http) in a webserver. In the client side I have a GUI Desktop application and a GSM Modem(hardware). The GUI Desktop application will make requests to the API in the webserver…
André
  • 111
  • 2
1
vote
2 answers

How do private feeds get transferred between two different portals?

I have some doubts about how the RSS private feeds, get transferred between one portal to another. The whole point is to allow private RSS feeds to be consumed by external clients, and in 99% of cases, they support basic authentication and SSL. The…
Anuroop Kuppam
  • 193
  • 1
  • 6
1
vote
2 answers

bots bypassing form and submitting directly through web service

We have a form that when submitted, will transmit its data as XML to a public web service. I am concerned that that URL is being directly manipulated to post bogus entries to our system, completely bypassing the form itself. The form itself is…
Raquel
  • 61
  • 1
0
votes
1 answer

How long should a shared link (token in the URL) be?

Suppose we have a web service operation like: GetComments(encryptedDiscussionID) // returns list of comments Where encryptedDiscussionID is the encrypted version of the actual discussionID in the database. The encryption is done on the server…
GarethOwen
  • 131
  • 4
1
2