Security Concern

Question

Hi All,One of our client has raised the security concerns while accessing QuickBase Using API's.Following is the sequence of the calls made to access the QuickBase from the external system.First call for the authentication to get ticket:POST //db/main HTTP/1.1Host: https://target_domainContent-Type: application/xmlQUICKBASE-ACTION: API_AuthenticateCache-Control: no-cachePostman-Token: a66300eb-891b-2764-d7ad-f4a6e0b45452&lt;qdbapi&gt;&nbsp; &nbsp;&lt;username&gt;USER NAME&lt;/username&gt;&nbsp; &nbsp;&lt;password&gt;PASSWORD&lt;/password&gt;&nbsp; &nbsp;&lt;hours&gt;24&lt;/hours&gt;&lt;/qdbapi&gt;O/P: TicketAfter first call of authentication, when subsequent calls are made to the QuickBase without passing the Ticket ,still we get the desired output and this pose the serious security concern,&nbsp;as anyone can do the random calls to the QuickBase and get Data till the ticket is valid.Second call without ticket:GET /db/bm272rhqa?a=API_DoQuery&amp;amp;query={'3'.EX.'42'}&amp;amp;clist=3 HTTP/1.1Host: https://target_domainCache-Control: no-cachePostman-Token: e71e843e-1a90-54f8-cfac-80a6bfe8d89bO/P : Desired XML DataAs a immediate fix we have asked the client to use "API_SignOut" API to invalidate the ticket, but still if ticket has duration of ,say of 4 hours and during that four hours is it possible to make sure that no API calls can be made to QuickBase without passing valid ticket in each API Calls.Thanks

_anomdiebolt_ · Answer

&gt;"when subsequent calls are made to the QuickBase without passing the Ticket ,still we get the desired output "I am not sure you are making the "subsequent calls" through postman or a browser or using some other user agent. The ticket is sent as a "httponly cookie" from the browser context meaning it cannot be accessed through client-side script and is sent to the server encrypted. The ticket does not appear in the URL or post body as it is sent as a secure httponly cookie in the header automatically. There is no security concern. QuickBase's security is very good and you are far more likely to have a user misplace or share their password or commit some other human error than to have someone steal your cookies.What is httponly cookie?HttpOnly is a flag added to cookies that tell the browser not to display  the cookie through client-side scripts (document.cookie and others).  The agenda behind HttpOnly is not to spill out cookies when an XSS flaw  exists, as a hacker might be able to run their script but the  fundamental benefit of having an XSS vulnerability (the ability steal  cookies and hijack a currently established session) is lost.https://latesthackingnews.com/2017/07/03/what-is-httponly-cookie/

neilservices · Answer

Shyam,Postman uses cookies just like a browser. &nbsp;It is possible to clear them, then subsequent calls will fail. &nbsp;Here are the docs:https://www.getpostman.com/docs/v6/postman/sending_api_requests/cookiesNeil

Forum Discussion

Security Concern