Is it possible to change an API response using the host file?web security testing - vulnerability issueAPI which does not allow to invalidate session on server side - how to make it more secure?Why use a proxy to hide OAuth client credentials in password grant calls?Where to store access and refresh tokens on ASP.NET client web app - calling a REST APIIs it possible to modify jQuery client code to call a remote API in an unintended way?Simple, Secure PHP API DesignEncrypting the API response in a single page appDo I need to hash or encrypt API keys before storing them in a database?strstr and fopen, is there a bypass?CORS accepting arbitrary origin with GET but not with OPTIONS

How do we know neutrons have no charge?

How to say "respectively" in German when listing (enumerating) things

Delete n lines skip 1 line script

How deep is the liquid in a half-full hemisphere?

Sci-fi movie with one survivor and an organism(?) recreating his memories

I reverse the source code, you reverse the input!

Whaling ship logistics

Why is a road bike faster than a city bike with the same effort? How much faster it can be?

Windows 10 deletes lots of tiny files super slowly. Anything that can be done to speed it up?

Is population size a parameter, or sample size a statistic?

When did Unix stop storing passwords in clear text?

Can an energy drink or chocolate before an exam be useful ? What sort of other edible goods be helpful?

"until mine is on tight" is a idiom?

Do interval ratios take overtones into account or solely the fundamental frequency?

Can I target any number of creatures, even if the ability would have no effect?

split 1 column input into 5 column bed file

rust-proof solution for attaching 2x4 to 4x4?

Would an object shot from earth fall into the sun?

After viewing logs with journalctl, how do I exit the screen that says "lines 1-2/2 (END)"?

Speed and Velocity in Russian

What can Thomas Cook customers who have not yet departed do now it has stopped operating?

My machine, client installed VPN,

Are the coefficients of certain product of Rogers-Ramanujan Continued Fraction non-negative?

I transpose the source code, you transpose the input!



Is it possible to change an API response using the host file?


web security testing - vulnerability issueAPI which does not allow to invalidate session on server side - how to make it more secure?Why use a proxy to hide OAuth client credentials in password grant calls?Where to store access and refresh tokens on ASP.NET client web app - calling a REST APIIs it possible to modify jQuery client code to call a remote API in an unintended way?Simple, Secure PHP API DesignEncrypting the API response in a single page appDo I need to hash or encrypt API keys before storing them in a database?strstr and fopen, is there a bypass?CORS accepting arbitrary origin with GET but not with OPTIONS






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








2















Would it be possible for someone to hijack the response of an API by using the host file, so for example www.sitename.com calls api.sitename.com/api/products. Could I use the host file to redirect the call api.sitename.com/api/products to a local instance of the API? If so does that vulnerability have a name?



A diagram if I'm not explaing it too well:



API normal function
enter image description here



An API with a mocked response
API with mocked response






vulnerability api







share|improve this question






























    2















    Would it be possible for someone to hijack the response of an API by using the host file, so for example www.sitename.com calls api.sitename.com/api/products. Could I use the host file to redirect the call api.sitename.com/api/products to a local instance of the API? If so does that vulnerability have a name?



    A diagram if I'm not explaing it too well:



    API normal function
    enter image description here



    An API with a mocked response
    API with mocked response






    vulnerability api







    share|improve this question


























      2












      2








      2








      Would it be possible for someone to hijack the response of an API by using the host file, so for example www.sitename.com calls api.sitename.com/api/products. Could I use the host file to redirect the call api.sitename.com/api/products to a local instance of the API? If so does that vulnerability have a name?



      A diagram if I'm not explaing it too well:



      API normal function
      enter image description here



      An API with a mocked response
      API with mocked response






      vulnerability api







      share|improve this question














      Would it be possible for someone to hijack the response of an API by using the host file, so for example www.sitename.com calls api.sitename.com/api/products. Could I use the host file to redirect the call api.sitename.com/api/products to a local instance of the API? If so does that vulnerability have a name?



      A diagram if I'm not explaing it too well:



      API normal function
      enter image description here



      An API with a mocked response
      API with mocked response






      vulnerability api




      vulnerability api






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 8 hours ago









      James NixonJames Nixon

      254 bronze badges




      254 bronze badges























          1 Answer
          1






          active

          oldest

          votes


















          4
















          If you can fake the price this way then this is basically due to improper validation of user input. It does not matter if the fake price comes because you've used another API endpoint (spoofing name resolution with manipulating hosts file or DNS) or if you've edited the page in the browser or if you've changed what got submitted to the server by intercepting the request - the server should never blindly trust anything which was send by the browser since what gets send is totally out of control of the server.



          This means that the server would need to check if the price provided in the requested is actually the current price of the item. Or the server might send some cryptographic signature or HMAC (with a server-side secret) along with the price and can then check if the price still matches the signature/HMAC. But the server should never just blindly trust that the a price (or any other data) in the request is actually the one which was originally provided by the server.






          share|improve this answer

























          • Ah, thank you for the reply. That makes sense

            – James Nixon
            8 hours ago













          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "162"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );














          draft saved

          draft discarded
















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218542%2fis-it-possible-to-change-an-api-response-using-the-host-file%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          4
















          If you can fake the price this way then this is basically due to improper validation of user input. It does not matter if the fake price comes because you've used another API endpoint (spoofing name resolution with manipulating hosts file or DNS) or if you've edited the page in the browser or if you've changed what got submitted to the server by intercepting the request - the server should never blindly trust anything which was send by the browser since what gets send is totally out of control of the server.



          This means that the server would need to check if the price provided in the requested is actually the current price of the item. Or the server might send some cryptographic signature or HMAC (with a server-side secret) along with the price and can then check if the price still matches the signature/HMAC. But the server should never just blindly trust that the a price (or any other data) in the request is actually the one which was originally provided by the server.






          share|improve this answer

























          • Ah, thank you for the reply. That makes sense

            – James Nixon
            8 hours ago















          4
















          If you can fake the price this way then this is basically due to improper validation of user input. It does not matter if the fake price comes because you've used another API endpoint (spoofing name resolution with manipulating hosts file or DNS) or if you've edited the page in the browser or if you've changed what got submitted to the server by intercepting the request - the server should never blindly trust anything which was send by the browser since what gets send is totally out of control of the server.



          This means that the server would need to check if the price provided in the requested is actually the current price of the item. Or the server might send some cryptographic signature or HMAC (with a server-side secret) along with the price and can then check if the price still matches the signature/HMAC. But the server should never just blindly trust that the a price (or any other data) in the request is actually the one which was originally provided by the server.






          share|improve this answer

























          • Ah, thank you for the reply. That makes sense

            – James Nixon
            8 hours ago













          4














          4










          4









          If you can fake the price this way then this is basically due to improper validation of user input. It does not matter if the fake price comes because you've used another API endpoint (spoofing name resolution with manipulating hosts file or DNS) or if you've edited the page in the browser or if you've changed what got submitted to the server by intercepting the request - the server should never blindly trust anything which was send by the browser since what gets send is totally out of control of the server.



          This means that the server would need to check if the price provided in the requested is actually the current price of the item. Or the server might send some cryptographic signature or HMAC (with a server-side secret) along with the price and can then check if the price still matches the signature/HMAC. But the server should never just blindly trust that the a price (or any other data) in the request is actually the one which was originally provided by the server.






          share|improve this answer













          If you can fake the price this way then this is basically due to improper validation of user input. It does not matter if the fake price comes because you've used another API endpoint (spoofing name resolution with manipulating hosts file or DNS) or if you've edited the page in the browser or if you've changed what got submitted to the server by intercepting the request - the server should never blindly trust anything which was send by the browser since what gets send is totally out of control of the server.



          This means that the server would need to check if the price provided in the requested is actually the current price of the item. Or the server might send some cryptographic signature or HMAC (with a server-side secret) along with the price and can then check if the price still matches the signature/HMAC. But the server should never just blindly trust that the a price (or any other data) in the request is actually the one which was originally provided by the server.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 8 hours ago









          Steffen UllrichSteffen Ullrich

          131k17 gold badges237 silver badges303 bronze badges




          131k17 gold badges237 silver badges303 bronze badges















          • Ah, thank you for the reply. That makes sense

            – James Nixon
            8 hours ago

















          • Ah, thank you for the reply. That makes sense

            – James Nixon
            8 hours ago
















          Ah, thank you for the reply. That makes sense

          – James Nixon
          8 hours ago





          Ah, thank you for the reply. That makes sense

          – James Nixon
          8 hours ago


















          draft saved

          draft discarded















































          Thanks for contributing an answer to Information Security Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218542%2fis-it-possible-to-change-an-api-response-using-the-host-file%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

          Image
          Internet forum softwarePHP software Internet communityPHPMySQLdatabase management systemInternet forumCharles WarnerMatt MechamJarvis Entertainment GroupIkonboardInvisionFreeAjaxIPS Community ForumsIPS Community Forumsthis blog entry Invision Community From Wikipedia, the free encyclopedia Jump to navigation Jump to search Invision Community Developer(s) Invision Power Services Stable release 4.4.6 / August 19, 2019 ; 34 days ago  ( 2019-08-19 ) Platform PHP / MySQL Type Forum software License Proprietary Website invisioncommunity.com Invision Community (previously known as IPS Community Suite ) is primarily an Internet community software produced by Invision Power Services, Inc. It is written in PHP and uses MySQL as a database management system. Invision Power Services sell applications that each can be bought and installed separately in addition to the Suite, the most widely known being the Internet forum software Invision Power Board. Invisi
          Read more

          Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

          Image
          Would it be easier to colonise a living world or a dead world? Postal services in Italy - Poste Italiane vs. Friendpost vs. GPS What is /dev/null and why can't I use hx on it? Why are engines with carburetors hard to start in cold weather? How to make a gift without seeming creepy? Without exposing his identity, did Roy help his parents with money so that they can afford to stay in their home? Does the Creighton Method of Natural Family Planning have a failure rate of 3.2% or less? How do I break the broom in Untitled Goose Game? Had there been instances of national states banning harmful imports before the mid-19th C Opium Wars? D&D Monsters and Copyright Is sleeping on the groud in cold weather better than on an air mattress? Transiting through Switzerland by coach with lots of cash quadratic equations on 2 by 2 matrices Always Lubricate Skewers? I pay for a service, but I miss the broadcast Iron-age tools, is there a way to extract heavy metals
          Read more

          Tom Holland Mục lục Đầu đời và giáo dục | Sự nghiệp | Cuộc sống cá nhân | Phim tham gia | Giải thưởng và đề cử | Chú thích | Liên kết ngoài | Trình đơn chuyển hướngProfile“Person Details for Thomas Stanley Holland, "England and Wales Birth Registration Index, 1837-2008" — FamilySearch.org”"Meet Tom Holland... the 16-year-old star of The Impossible""Schoolboy actor Tom Holland finds himself in Oscar contention for role in tsunami drama"“Naomi Watts on the Prince William and Harry's reaction to her film about the late Princess Diana”lưu trữ"Holland and Pflueger Are West End's Two New 'Billy Elliots'""I'm so envious of my son, the movie star! British writer Dominic Holland's spent 20 years trying to crack Hollywood - but he's been beaten to it by a very unlikely rival"“Richard and Margaret Povey of Jersey, Channel Islands, UK: Information about Thomas Stanley Holland”"Tom Holland to play Billy Elliot""New Billy Elliot leaving the garage"Billy Elliot the Musical - Tom Holland - Billy"A Tale of four Billys: Tom Holland""The Feel Good Factor""Thames Christian College schoolboys join Myleene Klass for The Feelgood Factor""Government launches £600,000 arts bursaries pilot""BILLY's Chapman, Holland, Gardner & Jackson-Keen Visit Prime Minister""Elton John 'blown away' by Billy Elliot fifth birthday" (video with John's interview and fragments of Holland's performance)"First News interviews Arrietty's Tom Holland"“33rd Critics' Circle Film Awards winners”“National Board of Review Current Awards”Bản gốc"Ron Howard Whaling Tale 'In The Heart Of The Sea' Casts Tom Holland"“'Spider-Man' Finds Tom Holland to Star as New Web-Slinger”lưu trữ“Captain America: Civil War (2016)”“Film Review: ‘Captain America: Civil War’”lưu trữ“‘Captain America: Civil War’ review: Choose your own avenger”lưu trữ“The Lost City of Z reviews”“Sony Pictures and Marvel Studios Find Their 'Spider-Man' Star and Director”“‘Mary Magdalene’, ‘Current War’ & ‘Wind River’ Get 2017 Release Dates From Weinstein”“Lionsgate Unleashing Daisy Ridley & Tom Holland Starrer ‘Chaos Walking’ In Cannes”“PTA's 'Master' Leads Chicago Film Critics Nominations, UPDATED: Houston and Indiana Critics Nominations”“Nominaciones Goya 2013 Telecinco Cinema – ENG”“Jameson Empire Film Awards: Martin Freeman wins best actor for performance in The Hobbit”“34th Annual Young Artist Awards”Bản gốc“Teen Choice Awards 2016—Captain America: Civil War Leads Second Wave of Nominations”“BAFTA Film Award Nominations: ‘La La Land’ Leads Race”“Saturn Awards Nominations 2017: 'Rogue One,' 'Walking Dead' Lead”Tom HollandTom HollandTom HollandTom Hollandmedia.gettyimages.comWorldCat Identities300279794no20130442900000 0004 0355 42791085670554170004732cb16706349t(data)XX5557367

          Image
          Sinh 1996Nhân vật còn sốngNam diễn viên Anh 1 tháng 61996người AnhNhà hát cung điện VictoriaLuân ĐônSpider-ManMarvel Cinematic UniverseKingston upon ThamesLuân ĐônIsle of ManIrelandDonheadCông giáo La MãWimbledonWimbledonCông giáo RômaNifty Feet Dance SchoolLynne PageBilly ElliotBilly Elliot the MusicalWest EndBilly Elliot The MusicalTanner PfluegerBilly ElliotsTanner PfluegerLayton WilliamsAngry DanceBilly Elliot the MusicalMyleene KlassBilly Elliot the Musical10 Downing StreetGordon BrownWolf HallBBC TwoGregory CromwellThomas CromwellMark RylanceBeneath a Scarlet SkyLip Sync BattleZendayaGiải Oscar cho hiệu ứng hình ảnh xuất sắc nhấtGiải thưởng Viện Hàn lâmTội phạm nhân bản 2049Jimmy Kimmel Live!Người nhệnGhibli StudioJuan Antonio BayonaNaomi WaHttsEwan McGregorLiên hoan phim Quốc tế TorontoLondon Film CriticsSaoirse RonanRon HowardPeter ParkerSpider-ManMarvelCharlie HunnamJames GraySamuel InsullAlfonso Gomez-RejonPatrick Ness Chaos WalkingDaisy RidleyDoug LimanNathan DrakeUnchartedN
          Read more