What is Visible URL in API call

openocean.tampa · 2024-07-14T14:42:37.393Z

Hey everyone!
I would love some help from the community to fix a security issue that was found by the Flusk tool on my app.

It’s a Visible URL in API call vulnerability described as followed:

Visible URL in API call:

The URL of this call might be sensitive. As a precaution, it is recommended that the URL be concealed or, if deemed appropriate, this issue may be disregarded. For instructions on how to conceal an API call URL, please refer to the corresponding section of the help documentation.

Here’s the additional data provided by the Flusk tool:

Concerned API calls :
• Free Busy ([homepage]api/1.1/wf/get_events_google)
• Free Busy Outlook ([homepage]api/1.1/wf/get_events_outlook)
• Get Access Token Outlook ([homepage]api/1.1/wf/[endpoint])
• Get Access Token Google ([homepage]api/1.1/wf/[endpoint])

I have read the documentation of the vulnerability but I’m still unsure what to do next.

Here’s what I understand:
I understand that there is a visible url in the API call, but I don’t think it is an issue. I want to be sure though. These and some of the others that Flusk found are just general API calls for google and outlook calendars.

So I just want to check with the community on whether this should actually be a concern or not.

Any help would be really appreciated

Logan

Posted with the @Flusk tool

hergin · 2024-07-14T17:18:34.730Z

I am sure @vnihoul77 can chime in.

wesleywsls · 2024-07-18T04:41:56.822Z

Hey @openocean.tampa, and thanks @hergin for mentioning Victor.

In this specific case, you can ignore the issue. It’s a false-positive.
To understand what happened and why, here is a bit more context.

At Flusk, we try to protect your API calls by making sure their URL is private when it doesn’t need to be dynamic.

You want a private URL when you’re calling a private endpoint or server (such as an AWS worker for example, or something you might have built in-house).

In your case, you’re using a documented and public API that requires authentication. So if anyone would find your URL, it wouldn’t be a problem because they wouldn’t have the required authentication key to perform the call.

We just prefer to show you false-positives rather than not showing it at all and potentially leave an issue on your app.

To remember: the destination URL of your API calls should be private when you’re calling an endpoint that doesn’t need authentication.

I hope that was clear enough!
If you need any more infos, feel free to reply here

Best,
Wes

system · 2024-09-22T14:42:57.757Z

This topic was automatically closed after 70 days. New replies are no longer allowed.