Skip to content

Box OAuth App Client Secret

Service Name: Box

Service Description: Box is a cloud content management and file sharing service for businesses. It enables secure collaboration, workflow automation, and integration with various applications.

Service Address: https://www.box.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the enterprise level through Box Shield and Admin Console settings.

Secret Access Scope: Grants programmatic access to Box content and services through OAuth 2.0 authentication flow. Allows applications to access Box on behalf of users or with application-level permissions.

Secret Revokement URL: https://app.box.com/developers/console

Secret Example: uIA8hP5iS7B5yLGK9T4mfwJDqDO7cDJT

Suspicious Activity Investigation Instructions:

  • Review Box Admin Console for unusual login activity or file access patterns
  • Check the OAuth application's access logs for unexpected authentication attempts
  • Monitor for unusual file downloads, shares, or permission changes
  • Review Box event logs for suspicious API calls made with the client credentials
  • Verify if the application is accessing resources beyond its intended scope

Mitigation Instructions:

  • Log in to the Box Developer Console at https://app.box.com/developers/console
  • Locate the affected application in your list of applications
  • Click on the application to access its settings
  • Navigate to the "Configuration" tab
  • Select Revoke next to the client secret or Delete Application to completely remove it.
  • Generate a new client secret if the application is still needed.
  • Update the application with the new client secret.
  • Review and adjust application permissions and scopes to follow the Principle of Least Privilege.
  • Consider implementing additional security measures like IP restrictions and shorter token lifetimes.