shyamshyam
7 years agoQrew Member
Security Concern
Hi All,
One of our client has raised the security concerns while accessing QuickBase Using API's.
Following is the sequence of the calls made to access the QuickBase from the external system.
First call for the authentication to get ticket:
POST //db/main HTTP/1.1
Host: https://target_domain
Content-Type: application/xml
QUICKBASE-ACTION: API_Authenticate
Cache-Control: no-cache
Postman-Token: a66300eb-891b-2764-d7ad-f4a6e0b45452
<qdbapi>
<username>USER NAME</username>
<password>PASSWORD</password>
<hours>24</hours>
</qdbapi>
O/P: Ticket
After first call of authentication, when subsequent calls are made to the QuickBase without passing the Ticket ,
still we get the desired output and this pose the serious security concern,
as anyone can do the random calls to the QuickBase and get Data till the ticket is valid.
Second call without ticket:
GET /db/bm272rhqa?a=API_DoQuery&query={'3'.EX.'42'}&clist=3 HTTP/1.1
Host: https://target_domain
Cache-Control: no-cache
Postman-Token: e71e843e-1a90-54f8-cfac-80a6bfe8d89b
O/P : Desired XML Data
As a immediate fix we have asked the client to use "API_SignOut" API to invalidate the ticket, but still if ticket has duration of ,
say of 4 hours and during that four hours is it possible to make sure that no API calls can be made to QuickBase without passing valid ticket in each API Calls.
Thanks
One of our client has raised the security concerns while accessing QuickBase Using API's.
Following is the sequence of the calls made to access the QuickBase from the external system.
First call for the authentication to get ticket:
POST //db/main HTTP/1.1
Host: https://target_domain
Content-Type: application/xml
QUICKBASE-ACTION: API_Authenticate
Cache-Control: no-cache
Postman-Token: a66300eb-891b-2764-d7ad-f4a6e0b45452
<qdbapi>
<username>USER NAME</username>
<password>PASSWORD</password>
<hours>24</hours>
</qdbapi>
O/P: Ticket
After first call of authentication, when subsequent calls are made to the QuickBase without passing the Ticket ,
still we get the desired output and this pose the serious security concern,
as anyone can do the random calls to the QuickBase and get Data till the ticket is valid.
Second call without ticket:
GET /db/bm272rhqa?a=API_DoQuery&query={'3'.EX.'42'}&clist=3 HTTP/1.1
Host: https://target_domain
Cache-Control: no-cache
Postman-Token: e71e843e-1a90-54f8-cfac-80a6bfe8d89b
O/P : Desired XML Data
As a immediate fix we have asked the client to use "API_SignOut" API to invalidate the ticket, but still if ticket has duration of ,
say of 4 hours and during that four hours is it possible to make sure that no API calls can be made to QuickBase without passing valid ticket in each API Calls.
Thanks