Hey everyone!
I would love some help from the community to fix a security issue that was found by the Flusk tool on my app.
It’s a Visible URL in API call vulnerability described as followed:
Here’s the additional data provided by the Flusk tool:
I have read the documentation of the vulnerability but I’m still unsure what to do next.
Here’s what I understand:
I understand that there is a visible url in the API call, but I don’t think it is an issue. I want to be sure though. These and some of the others that Flusk found are just general API calls for google and outlook calendars.
So I just want to check with the community on whether this should actually be a concern or not.
In this specific case, you can ignore the issue. It’s a false-positive.
To understand what happened and why, here is a bit more context.
At Flusk, we try to protect your API calls by making sure their URL is private when it doesn’t need to be dynamic.
You want a private URL when you’re calling a private endpoint or server (such as an AWS worker for example, or something you might have built in-house).
In your case, you’re using a documented and public API that requires authentication. So if anyone would find your URL, it wouldn’t be a problem because they wouldn’t have the required authentication key to perform the call.
We just prefer to show you false-positives rather than not showing it at all and potentially leave an issue on your app.
To remember: the destination URL of your API calls should be private when you’re calling an endpoint that doesn’t need authentication.
I hope that was clear enough!
If you need any more infos, feel free to reply here