Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. The software development team is implementing the web service in the RESTful style. The software testing team is testing a user story, “As a customer, I want to place an order so that I can buy a toy.” It passed in the testing/lab environment but failed in the staging environment. Which of the following is the most likely reason?
A. The firewall allows the GET method only
B. The intrusion detection system (IDS) misjudged the transaction as a CSRF attack
C. The intrusion prevention system (IPS) allows the POST method only
D. The back-end web server validates every input value
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. The firewall allows the GET method only.
The convention of HTTP method/verb in RESTful API is as follows:
- GET for query or selecting data
- POST for creating or inserting data
- PUT for updating data
- DELETE for deleting data
The user story under testing is about “place an order,” the HTTP POST is needed to insert the transaction.
Tests against the user story passed in the testing/lab environment but failed in the staging environment, identical or similar to the production system. It implies that software solutions functions normally. There must be some configuration or infrastructure problems in the staging environment.
It’s a good practice that the back-end web server validates every input value. This condition remains unchanged both in the testing or staging environment. This option can be ruled out first.
Even if the intrusion detection system (IDS) misjudged the transaction as a CSRF attack, it triggers alert only and will not respond to the intrusion. This option can be eliminated as well.
The software solution requires the firewall to allow HTTP POST messages, so it’s all right that the intrusion prevention system (IPS) allows the POST method only.
Moreover, IPS usually sits right behind the firewall that has filtered network traffic and operates by matching patterns or learning malicious behavior based on statistics. If a firewall has the IPS capability, it’s better to treat traffic filtering rules as the functionality of the firewall instead of IPS.
If the firewall allows HTTP GET only and filters out the HTTP POST messages, the transaction to place an order will fail.