Is it possible to change an API response using the host file?web security testing - vulnerability issueAPI which does not allow to invalidate session on server side - how to make it more secure?Why use a proxy to hide OAuth client credentials in password grant calls?Where to store access and refresh tokens on ASP.NET client web app - calling a REST APIIs it possible to modify jQuery client code to call a remote API in an unintended way?Simple, Secure PHP API DesignEncrypting the API response in a single page appDo I need to hash or encrypt API keys before storing them in a database?strstr and fopen, is there a bypass?CORS accepting arbitrary origin with GET but not with OPTIONS

How do we know neutrons have no charge?

How to say "respectively" in German when listing (enumerating) things

Delete n lines skip 1 line script

How deep is the liquid in a half-full hemisphere?

Sci-fi movie with one survivor and an organism(?) recreating his memories

I reverse the source code, you reverse the input!

Whaling ship logistics

Why is a road bike faster than a city bike with the same effort? How much faster it can be?

Windows 10 deletes lots of tiny files super slowly. Anything that can be done to speed it up?

Is population size a parameter, or sample size a statistic?

When did Unix stop storing passwords in clear text?

Can an energy drink or chocolate before an exam be useful ? What sort of other edible goods be helpful?

"until mine is on tight" is a idiom?

Do interval ratios take overtones into account or solely the fundamental frequency?

Can I target any number of creatures, even if the ability would have no effect?

split 1 column input into 5 column bed file

rust-proof solution for attaching 2x4 to 4x4?

Would an object shot from earth fall into the sun?

After viewing logs with journalctl, how do I exit the screen that says "lines 1-2/2 (END)"?

Speed and Velocity in Russian

What can Thomas Cook customers who have not yet departed do now it has stopped operating?

My machine, client installed VPN,

Are the coefficients of certain product of Rogers-Ramanujan Continued Fraction non-negative?

I transpose the source code, you transpose the input!



Is it possible to change an API response using the host file?


web security testing - vulnerability issueAPI which does not allow to invalidate session on server side - how to make it more secure?Why use a proxy to hide OAuth client credentials in password grant calls?Where to store access and refresh tokens on ASP.NET client web app - calling a REST APIIs it possible to modify jQuery client code to call a remote API in an unintended way?Simple, Secure PHP API DesignEncrypting the API response in a single page appDo I need to hash or encrypt API keys before storing them in a database?strstr and fopen, is there a bypass?CORS accepting arbitrary origin with GET but not with OPTIONS






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








2















Would it be possible for someone to hijack the response of an API by using the host file, so for example www.sitename.com calls api.sitename.com/api/products. Could I use the host file to redirect the call api.sitename.com/api/products to a local instance of the API? If so does that vulnerability have a name?



A diagram if I'm not explaing it too well:



API normal function
enter image description here



An API with a mocked response
API with mocked response










share|improve this question






























    2















    Would it be possible for someone to hijack the response of an API by using the host file, so for example www.sitename.com calls api.sitename.com/api/products. Could I use the host file to redirect the call api.sitename.com/api/products to a local instance of the API? If so does that vulnerability have a name?



    A diagram if I'm not explaing it too well:



    API normal function
    enter image description here



    An API with a mocked response
    API with mocked response










    share|improve this question


























      2












      2








      2








      Would it be possible for someone to hijack the response of an API by using the host file, so for example www.sitename.com calls api.sitename.com/api/products. Could I use the host file to redirect the call api.sitename.com/api/products to a local instance of the API? If so does that vulnerability have a name?



      A diagram if I'm not explaing it too well:



      API normal function
      enter image description here



      An API with a mocked response
      API with mocked response










      share|improve this question














      Would it be possible for someone to hijack the response of an API by using the host file, so for example www.sitename.com calls api.sitename.com/api/products. Could I use the host file to redirect the call api.sitename.com/api/products to a local instance of the API? If so does that vulnerability have a name?



      A diagram if I'm not explaing it too well:



      API normal function
      enter image description here



      An API with a mocked response
      API with mocked response







      vulnerability api






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 8 hours ago









      James NixonJames Nixon

      254 bronze badges




      254 bronze badges























          1 Answer
          1






          active

          oldest

          votes


















          4
















          If you can fake the price this way then this is basically due to improper validation of user input. It does not matter if the fake price comes because you've used another API endpoint (spoofing name resolution with manipulating hosts file or DNS) or if you've edited the page in the browser or if you've changed what got submitted to the server by intercepting the request - the server should never blindly trust anything which was send by the browser since what gets send is totally out of control of the server.



          This means that the server would need to check if the price provided in the requested is actually the current price of the item. Or the server might send some cryptographic signature or HMAC (with a server-side secret) along with the price and can then check if the price still matches the signature/HMAC. But the server should never just blindly trust that the a price (or any other data) in the request is actually the one which was originally provided by the server.






          share|improve this answer

























          • Ah, thank you for the reply. That makes sense

            – James Nixon
            8 hours ago













          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "162"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );














          draft saved

          draft discarded
















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218542%2fis-it-possible-to-change-an-api-response-using-the-host-file%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          4
















          If you can fake the price this way then this is basically due to improper validation of user input. It does not matter if the fake price comes because you've used another API endpoint (spoofing name resolution with manipulating hosts file or DNS) or if you've edited the page in the browser or if you've changed what got submitted to the server by intercepting the request - the server should never blindly trust anything which was send by the browser since what gets send is totally out of control of the server.



          This means that the server would need to check if the price provided in the requested is actually the current price of the item. Or the server might send some cryptographic signature or HMAC (with a server-side secret) along with the price and can then check if the price still matches the signature/HMAC. But the server should never just blindly trust that the a price (or any other data) in the request is actually the one which was originally provided by the server.






          share|improve this answer

























          • Ah, thank you for the reply. That makes sense

            – James Nixon
            8 hours ago















          4
















          If you can fake the price this way then this is basically due to improper validation of user input. It does not matter if the fake price comes because you've used another API endpoint (spoofing name resolution with manipulating hosts file or DNS) or if you've edited the page in the browser or if you've changed what got submitted to the server by intercepting the request - the server should never blindly trust anything which was send by the browser since what gets send is totally out of control of the server.



          This means that the server would need to check if the price provided in the requested is actually the current price of the item. Or the server might send some cryptographic signature or HMAC (with a server-side secret) along with the price and can then check if the price still matches the signature/HMAC. But the server should never just blindly trust that the a price (or any other data) in the request is actually the one which was originally provided by the server.






          share|improve this answer

























          • Ah, thank you for the reply. That makes sense

            – James Nixon
            8 hours ago













          4














          4










          4









          If you can fake the price this way then this is basically due to improper validation of user input. It does not matter if the fake price comes because you've used another API endpoint (spoofing name resolution with manipulating hosts file or DNS) or if you've edited the page in the browser or if you've changed what got submitted to the server by intercepting the request - the server should never blindly trust anything which was send by the browser since what gets send is totally out of control of the server.



          This means that the server would need to check if the price provided in the requested is actually the current price of the item. Or the server might send some cryptographic signature or HMAC (with a server-side secret) along with the price and can then check if the price still matches the signature/HMAC. But the server should never just blindly trust that the a price (or any other data) in the request is actually the one which was originally provided by the server.






          share|improve this answer













          If you can fake the price this way then this is basically due to improper validation of user input. It does not matter if the fake price comes because you've used another API endpoint (spoofing name resolution with manipulating hosts file or DNS) or if you've edited the page in the browser or if you've changed what got submitted to the server by intercepting the request - the server should never blindly trust anything which was send by the browser since what gets send is totally out of control of the server.



          This means that the server would need to check if the price provided in the requested is actually the current price of the item. Or the server might send some cryptographic signature or HMAC (with a server-side secret) along with the price and can then check if the price still matches the signature/HMAC. But the server should never just blindly trust that the a price (or any other data) in the request is actually the one which was originally provided by the server.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 8 hours ago









          Steffen UllrichSteffen Ullrich

          131k17 gold badges237 silver badges303 bronze badges




          131k17 gold badges237 silver badges303 bronze badges















          • Ah, thank you for the reply. That makes sense

            – James Nixon
            8 hours ago

















          • Ah, thank you for the reply. That makes sense

            – James Nixon
            8 hours ago
















          Ah, thank you for the reply. That makes sense

          – James Nixon
          8 hours ago





          Ah, thank you for the reply. That makes sense

          – James Nixon
          8 hours ago


















          draft saved

          draft discarded















































          Thanks for contributing an answer to Information Security Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218542%2fis-it-possible-to-change-an-api-response-using-the-host-file%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

          Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

          199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單