1

We have a form that when submitted, will transmit its data as XML to a public web service. I am concerned that that URL is being directly manipulated to post bogus entries to our system, completely bypassing the form itself. The form itself is already through an HTTPS connection. I believe we are using SOAP. What can we do to secure the form/service?

Raquel
  • 61
  • 1

2 Answers2

1

HTTPS will only prevent people from viewing the data en-route to the web service. It provides no method to authorize a request. You'll need to implement some authorization/authentication in the web service to make sure the people posting data are the ones that need to be posting data.

anon
  • 301
  • 1
  • 3
0

You need to validate user input on both the client side and the server side.

So if you have a form on the client side that checks to make sure the user input is less then 10 characters. The bot can simply bypass by making a request to your web service without your client. So you need to validate on the server side.

For example:

if you have a route on your web service:

route.post('api/signup/', function(req,res){
    //Where the user data is stored in req.body
   var userInput = req.body;

   if(userInput.length < 10){
     //write to database
      } else {

       //Don't write to database and return error message
     }

  }

This way if a bot decides to bypass your client side restrictions, you are still checking the constraints on the web service side

nd510
  • 1,748
  • 1
  • 11
  • 15
  • yes, there are many required fields on the form, as well as validation. we also have server side validations, as we use asp.net. so you are saying I need something on the web service end to validate as well? – Raquel Mar 23 '17 at 20:09