0

I'm working with a developer to develop a web application. For one aspect of this application, I need to allow hundreds of merchants to deliver non-PII and non-sensitive data to my website. The data will be used to pre-fill a form on my website and eventually submitted into my sites database to be scored.

I was considering an API solution with oauth authorization, but every merchant has a different level of technical know-how in terms of integrating with an API.

The other option I'm considering is to allow the merchant to submit the non-sensitive data via a parameter in the URL string (i.e. xyz.com?name=johnsshoeshop&shoesize=10&color=red).

My question is can the parameter method be used securely or am I opening my website to unknown risks? In your response assume my developer uses common server-side validation like PHP (trim, stripslashes, strip_tags, htmlspecialchars, mysqli_real_escape_string parameterized queries ).

Improve this question

1 Answer 1

Reset to default
1

In terms of attack surface it does not matter if the parameters are send in the query string of the URL or if they are send inside the body of a POST request.

It is instead important that the data must be considered untrusted and thus need to be properly verified according to clear and strict expectations. The proposed sanitizing and protection methods focus only on some very specific use cases for the data, namely storing inside a MySQL database and embedding the data inside HTML. If this is the only thing ever done with the data then fine. But if the data will ever be used in other contexts, like embedding in PDF or used as part of the command line when running an external command, then the proposed sanitizing might not be enough - different execution environments have different rules on how data get interpreted.

So it is better to not only sanitize the data and use parameterized queries in SQL, but to actually have a clear expectation on how the data should look like and enforce this.

I was considering an API solution with oauth authorization, but every merchant has a different level of technical know-how in terms of integrating with an API.

Proper data validation need to be done no matter if OAuth is used or not. Just because something is authenticated does not mean it can be fully trusted.

Improve this answer
2
  • thank you for your detailed response. You mentioned the pdf application with the data. I may have a long-term need to use the data like that. Do you happen to have a nice resource I could learn about proper security rules for this and other scenarios? Regarding the Oauth, my thought process was to still validate the data, but was thinking it would limit the thrid-parties that could send the data to the form. Commented Jan 9, 2022 at 20:25
  • @user1609391: XSS, SQLi, ... are all kinds of code injection attacks, i.e. where data is interpreted as code since the specific data format (HTML, SQL instructions, ...) has a too weak separation between code and data. Similar with PDF - therefore just search for PDF injection to get more information - like this. Commented Jan 9, 2022 at 20:37

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.