What is Visible URL in API call

Hey everyone!
I would love some help from the community to fix a security issue that was found by the Flusk tool on my app.

It’s a Visible URL in API call vulnerability described as followed:

Here’s the additional data provided by the Flusk tool:


I have read the documentation of the vulnerability but I’m still unsure what to do next.

Here’s what I understand:
I understand that there is a visible url in the API call, but I don’t think it is an issue. I want to be sure though. These and some of the others that Flusk found are just general API calls for google and outlook calendars.

So I just want to check with the community on whether this should actually be a concern or not.

Any help would be really appreciated :pray:

Logan


Posted with the @Flusk tool

I am sure @vnihoul77 can chime in.

Hey @openocean.tampa, and thanks @hergin for mentioning Victor.

In this specific case, you can ignore the issue. It’s a false-positive.
To understand what happened and why, here is a bit more context.

At Flusk, we try to protect your API calls by making sure their URL is private when it doesn’t need to be dynamic.

You want a private URL when you’re calling a private endpoint or server (such as an AWS worker for example, or something you might have built in-house).

In your case, you’re using a documented and public API that requires authentication. So if anyone would find your URL, it wouldn’t be a problem because they wouldn’t have the required authentication key to perform the call.

We just prefer to show you false-positives rather than not showing it at all and potentially leave an issue on your app.

To remember: the destination URL of your API calls should be private when you’re calling an endpoint that doesn’t need authentication.

I hope that was clear enough!
If you need any more infos, feel free to reply here :slight_smile:

Best,
Wes

This topic was automatically closed after 70 days. New replies are no longer allowed.