3 Security Usage of Import/Export Web Service API

This chapter recommends important secure coding practices for developers of the web service client to securely use the Import/Export Web Service.

• Do not log your Simphony password or authentication tokens returned by the Import/Export web service. Although the authentication tokens are short-lived, if attackers (including insiders) can access the log file, they will be able to impersonate you and run other important API methods.
• Ensure that your web service client catches exceptions and logs them securely, instead of showing the stack trace to users of your web service client. Attackers can leverage the leaked information to construct further attacks.
• Check the input length and type of all data received from the users of third-parties of your web service client. For example, before exporting a CSV file to the web service, it is recommended that the size of the uploaded file is in an acceptable range, to avoid denial of service.
• If your web service client saves the CSV files that are uploaded by your users, you must run virus/malware scanners in order to detect whether malicious files are uploaded.
• If your web service client is publicly accessible, ensure that only authenticated users can use your service.
• Check the return code (a.k.a. error code) of the web service methods. Ensure that the actual return code matches the expected return code. For example, if a web service method returns 200, then it denotes the operation was successful. It is a good practice to log failures, for example when the return code is 404 (a.k.a. page not found).
• The web service client should disable Document Type Definition processing as well as External Entity Expansion to avoid exploits such as remote code execution, server-side forgery attacks, denial-of-service, to name a few attacks.
• The web service client should check the digital certificate presented by the Import/Export web service to ensure that the client is interacting with the trusted web service.