Is it a good practice to return original requests back in responses

StackOverflow https://stackoverflow.com/questions/20549718

Question

Our company has a SOAP-Based WebService written in C# ASP.Net 4.

The original developer left a while ago and unfortunately left it in an extremely messy state. Maintaining it is an absolute nightmare, so I am in the process of refactoring.

Along the way I have noticed that he had coded the responses to include the original requests including username and passwords for accessing the service (which are the first 2 parameters to all web methods that exist in this API)

Since I am looking into re-doing the infrastructure I wanted to ask if anyone knows whether the practice of returning the original request is normal?

To me it seems like a security issue waiting to happen? Do other people send back the original request minus the security information?

Note: I am aware that this is legacy technology but unfortunately I am not in a position to re-write the whole thing from the ground up :-(

Thanks, Gary.

Example (Soap XML omitted for brevity):

REQUEST:
POST our-web-service/Products.asmx/Details
username=TEST_USER&password=TEST_PASSWORD&productId=12345

RESPONSE:
<Response IsValid="True">
  <Product id="12345">
    <Name>Test Product 1</Name>
    <Category>General</Category>
    ....
  </Product>
  </Product>

  <OriginalRequest>
    <Username>TEST_USERNAME</Username>
    <Password>TEST_PASSSWORD</Password>
    <ProductId>12345</ProductId>
  </OriginalRequest>

</Response>
Was it helpful?

Solution

We are not aware of your API funcionality. So,There may be a case in which your application need original request data to perform some process in stateless environment. I mean, sender or requester don't want to hold on request message untill it get processed and come back in your API.

But exposing username and password like this is highly unlikely.

Even your production runs on https, It doesn't mean it can't be tampered. If you are using (exchanging) SSL certificates at both client and server end then it's fine. There is one more option in https at server side, "without client authentication". In this type of transport a self signed certificate is used by client to send and receive http request and response. This can be tampered.

So make sure that you are exchanging SSL certificate. If your client is vey concerned about security.

And there is no need to send password astleast. For one time, you can send username but sending password like this will be blunder for the securit of your application.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top