Is it possible to change an API response using the host file?web security testing - vulnerability issueAPI which does not allow to invalidate session on server side - how to make it more secure?Why use a proxy to hide OAuth client credentials in password grant calls?Where to store access and refresh tokens on ASP.NET client web app - calling a REST APIIs it possible to modify jQuery client code to call a remote API in an unintended way?Simple, Secure PHP API DesignEncrypting the API response in a single page appDo I need to hash or encrypt API keys before storing them in a database?strstr and fopen, is there a bypass?CORS accepting arbitrary origin with GET but not with OPTIONS

How do we know neutrons have no charge?

How to say "respectively" in German when listing (enumerating) things

Delete n lines skip 1 line script

How deep is the liquid in a half-full hemisphere?

Sci-fi movie with one survivor and an organism(?) recreating his memories

I reverse the source code, you reverse the input!

Whaling ship logistics

Why is a road bike faster than a city bike with the same effort? How much faster it can be?

Windows 10 deletes lots of tiny files super slowly. Anything that can be done to speed it up?

Is population size a parameter, or sample size a statistic?

When did Unix stop storing passwords in clear text?

Can an energy drink or chocolate before an exam be useful ? What sort of other edible goods be helpful?

"until mine is on tight" is a idiom?

Do interval ratios take overtones into account or solely the fundamental frequency?

Can I target any number of creatures, even if the ability would have no effect?

split 1 column input into 5 column bed file

rust-proof solution for attaching 2x4 to 4x4?

Would an object shot from earth fall into the sun?

After viewing logs with journalctl, how do I exit the screen that says "lines 1-2/2 (END)"?

Speed and Velocity in Russian

What can Thomas Cook customers who have not yet departed do now it has stopped operating?

My machine, client installed VPN,

Are the coefficients of certain product of Rogers-Ramanujan Continued Fraction non-negative?

I transpose the source code, you transpose the input!



Is it possible to change an API response using the host file?


web security testing - vulnerability issueAPI which does not allow to invalidate session on server side - how to make it more secure?Why use a proxy to hide OAuth client credentials in password grant calls?Where to store access and refresh tokens on ASP.NET client web app - calling a REST APIIs it possible to modify jQuery client code to call a remote API in an unintended way?Simple, Secure PHP API DesignEncrypting the API response in a single page appDo I need to hash or encrypt API keys before storing them in a database?strstr and fopen, is there a bypass?CORS accepting arbitrary origin with GET but not with OPTIONS






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








2















Would it be possible for someone to hijack the response of an API by using the host file, so for example www.sitename.com calls api.sitename.com/api/products. Could I use the host file to redirect the call api.sitename.com/api/products to a local instance of the API? If so does that vulnerability have a name?



A diagram if I'm not explaing it too well:



API normal function
enter image description here



An API with a mocked response
API with mocked response






vulnerability api







share|improve this question






























    2















    Would it be possible for someone to hijack the response of an API by using the host file, so for example www.sitename.com calls api.sitename.com/api/products. Could I use the host file to redirect the call api.sitename.com/api/products to a local instance of the API? If so does that vulnerability have a name?



    A diagram if I'm not explaing it too well:



    API normal function
    enter image description here



    An API with a mocked response
    API with mocked response






    vulnerability api







    share|improve this question


























      2












      2








      2








      Would it be possible for someone to hijack the response of an API by using the host file, so for example www.sitename.com calls api.sitename.com/api/products. Could I use the host file to redirect the call api.sitename.com/api/products to a local instance of the API? If so does that vulnerability have a name?



      A diagram if I'm not explaing it too well:



      API normal function
      enter image description here



      An API with a mocked response
      API with mocked response






      vulnerability api







      share|improve this question














      Would it be possible for someone to hijack the response of an API by using the host file, so for example www.sitename.com calls api.sitename.com/api/products. Could I use the host file to redirect the call api.sitename.com/api/products to a local instance of the API? If so does that vulnerability have a name?



      A diagram if I'm not explaing it too well:



      API normal function
      enter image description here



      An API with a mocked response
      API with mocked response






      vulnerability api




      vulnerability api






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 8 hours ago









      James NixonJames Nixon

      254 bronze badges




      254 bronze badges























          1 Answer
          1






          active

          oldest

          votes


















          4
















          If you can fake the price this way then this is basically due to improper validation of user input. It does not matter if the fake price comes because you've used another API endpoint (spoofing name resolution with manipulating hosts file or DNS) or if you've edited the page in the browser or if you've changed what got submitted to the server by intercepting the request - the server should never blindly trust anything which was send by the browser since what gets send is totally out of control of the server.



          This means that the server would need to check if the price provided in the requested is actually the current price of the item. Or the server might send some cryptographic signature or HMAC (with a server-side secret) along with the price and can then check if the price still matches the signature/HMAC. But the server should never just blindly trust that the a price (or any other data) in the request is actually the one which was originally provided by the server.






          share|improve this answer

























          • Ah, thank you for the reply. That makes sense

            – James Nixon
            8 hours ago













          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "162"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );














          draft saved

          draft discarded
















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218542%2fis-it-possible-to-change-an-api-response-using-the-host-file%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          4
















          If you can fake the price this way then this is basically due to improper validation of user input. It does not matter if the fake price comes because you've used another API endpoint (spoofing name resolution with manipulating hosts file or DNS) or if you've edited the page in the browser or if you've changed what got submitted to the server by intercepting the request - the server should never blindly trust anything which was send by the browser since what gets send is totally out of control of the server.



          This means that the server would need to check if the price provided in the requested is actually the current price of the item. Or the server might send some cryptographic signature or HMAC (with a server-side secret) along with the price and can then check if the price still matches the signature/HMAC. But the server should never just blindly trust that the a price (or any other data) in the request is actually the one which was originally provided by the server.






          share|improve this answer

























          • Ah, thank you for the reply. That makes sense

            – James Nixon
            8 hours ago















          4
















          If you can fake the price this way then this is basically due to improper validation of user input. It does not matter if the fake price comes because you've used another API endpoint (spoofing name resolution with manipulating hosts file or DNS) or if you've edited the page in the browser or if you've changed what got submitted to the server by intercepting the request - the server should never blindly trust anything which was send by the browser since what gets send is totally out of control of the server.



          This means that the server would need to check if the price provided in the requested is actually the current price of the item. Or the server might send some cryptographic signature or HMAC (with a server-side secret) along with the price and can then check if the price still matches the signature/HMAC. But the server should never just blindly trust that the a price (or any other data) in the request is actually the one which was originally provided by the server.






          share|improve this answer

























          • Ah, thank you for the reply. That makes sense

            – James Nixon
            8 hours ago













          4














          4










          4









          If you can fake the price this way then this is basically due to improper validation of user input. It does not matter if the fake price comes because you've used another API endpoint (spoofing name resolution with manipulating hosts file or DNS) or if you've edited the page in the browser or if you've changed what got submitted to the server by intercepting the request - the server should never blindly trust anything which was send by the browser since what gets send is totally out of control of the server.



          This means that the server would need to check if the price provided in the requested is actually the current price of the item. Or the server might send some cryptographic signature or HMAC (with a server-side secret) along with the price and can then check if the price still matches the signature/HMAC. But the server should never just blindly trust that the a price (or any other data) in the request is actually the one which was originally provided by the server.






          share|improve this answer













          If you can fake the price this way then this is basically due to improper validation of user input. It does not matter if the fake price comes because you've used another API endpoint (spoofing name resolution with manipulating hosts file or DNS) or if you've edited the page in the browser or if you've changed what got submitted to the server by intercepting the request - the server should never blindly trust anything which was send by the browser since what gets send is totally out of control of the server.



          This means that the server would need to check if the price provided in the requested is actually the current price of the item. Or the server might send some cryptographic signature or HMAC (with a server-side secret) along with the price and can then check if the price still matches the signature/HMAC. But the server should never just blindly trust that the a price (or any other data) in the request is actually the one which was originally provided by the server.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 8 hours ago









          Steffen UllrichSteffen Ullrich

          131k17 gold badges237 silver badges303 bronze badges




          131k17 gold badges237 silver badges303 bronze badges















          • Ah, thank you for the reply. That makes sense

            – James Nixon
            8 hours ago

















          • Ah, thank you for the reply. That makes sense

            – James Nixon
            8 hours ago
















          Ah, thank you for the reply. That makes sense

          – James Nixon
          8 hours ago





          Ah, thank you for the reply. That makes sense

          – James Nixon
          8 hours ago


















          draft saved

          draft discarded















































          Thanks for contributing an answer to Information Security Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218542%2fis-it-possible-to-change-an-api-response-using-the-host-file%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

          Image
          Internet forum softwarePHP software Internet communityPHPMySQLdatabase management systemInternet forumCharles WarnerMatt MechamJarvis Entertainment GroupIkonboardInvisionFreeAjaxIPS Community ForumsIPS Community Forumsthis blog entry Invision Community From Wikipedia, the free encyclopedia Jump to navigation Jump to search Invision Community Developer(s) Invision Power Services Stable release 4.4.6 / August 19, 2019 ; 34 days ago  ( 2019-08-19 ) Platform PHP / MySQL Type Forum software License Proprietary Website invisioncommunity.com Invision Community (previously known as IPS Community Suite ) is primarily an Internet community software produced by Invision Power Services, Inc. It is written in PHP and uses MySQL as a database management system. Invision Power Services sell applications that each can be bought and installed separately in addition to the Suite, the most widely known being the Internet forum software Invision Power Board. Invisi
          Read more

          Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

          Image
          Would it be easier to colonise a living world or a dead world? Postal services in Italy - Poste Italiane vs. Friendpost vs. GPS What is /dev/null and why can't I use hx on it? Why are engines with carburetors hard to start in cold weather? How to make a gift without seeming creepy? Without exposing his identity, did Roy help his parents with money so that they can afford to stay in their home? Does the Creighton Method of Natural Family Planning have a failure rate of 3.2% or less? How do I break the broom in Untitled Goose Game? Had there been instances of national states banning harmful imports before the mid-19th C Opium Wars? D&D Monsters and Copyright Is sleeping on the groud in cold weather better than on an air mattress? Transiting through Switzerland by coach with lots of cash quadratic equations on 2 by 2 matrices Always Lubricate Skewers? I pay for a service, but I miss the broadcast Iron-age tools, is there a way to extract heavy metals
          Read more

          Ласкавець круглолистий Зміст Опис | Поширення | Галерея | Примітки | Посилання | Навігаційне меню58171138361-22960890446Bupleurum rotundifoliumEuro+Med PlantbasePlants of the World Online — Kew ScienceGermplasm Resources Information Network (GRIN)Ласкавецькн. VI : Літери Ком — Левиправивши або дописавши її

          Image
          ЛаскавецьФлора УкраїниФлора ЄвропиФлора АфрикиФлора АзіїРослини, описані 1753 ОкружковіОднорічнатрав'яниста рослинаАфриціЄвропіАзіїУкраїні Ласкавець круглолистий Матеріал з Вікіпедії — вільної енциклопедії. Перейти до навігації Перейти до пошуку ? Ласкавець круглолистий Біологічна класифікація Домен: Ядерні (Eukaryota) Царство: Зелені рослини (Viridiplantae) Відділ: Вищі рослини (Streptophyta) — Судинні (Tracheophyta) — Покритонасінні (Angiospermae) — Евдикоти (Eudicots) — Айстериди (Asterids) Порядок: Аралієцвіті (Apiales) Родина: Окружкові (Apiaceae) Підродина: Селерові (Apioideae) Триба: Bupleureae Рід: Ласкавець ( Bupleurum ) Вид: Ласкавець круглолистий Біноміальна назва Bupleurum rotundifolium L., 1753 Посилання Вікісховище: Bupleurum rotundifolium Віківиди: Bupleurum rotundifolium EOL: 581711 IPNI: 38361-2 ITIS: 29608 NCBI: 90446 Ласкавець круглолистий [1] [1] [2] ( Bupleurum rotundifolium ) — вид рослин родини Окружкові (Apiaceae)
          Read more