HTTP saves time, saves money, saves you

It Italy, as usual, our govern is a mess when talking about {insert any topic here}: today’s topic will be… webservices, saving money, time and providing an efficient service to the citizens.

Veryfing a VAT number

A requirement in your projects could be to verify, when a user subscribes to your service, which is intended for business owners, his VAT number.

The italian govern has such a service in the form of a webpage, thus thought for humans: they don’t offer a specific webservice but that’s not a problem, as I can submit the form ( it uses GET, which is exactly meant for the purpose ) with an HTTP request. Cool.

Doing HTTP wrong

So the first thing that came to my mind was to use cURL to verify the service:

1
curl -I -X GET http://www1.agenziaentrate.it/servizi/vies/transazione.htm -d "s=IT&p=02524130305" -G

where s is the country of the company and p its VAT number (bare in mind that the VAT number used here is wrong, as it was the one of my first company, now closed).

Bare in mind that:

1
GET /vats?s=IT&p=02524130305

logically equals to

1
GET /vats/IT/02524130305

The result?

1
2
3
4
5
6
7
HTTP/1.1 200 OK
Date: Wed, 21 Sep 2011 13:02:25 GMT
Server: Apache
X-Powered-By: PHP/4.3.11
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

First of all, let’s try not to be angry for that X-Powered-By header right there: let’s just ignore it :–|

Then… Oh, wow, 200 OK.

Why is this so bad?

At first glance, it seemed weird to me, but I tought that they, for some reasons, considered my old company’s VAT number still valid, but then I realized how much noob an entire IT department can be so I started suspecting that the system was responding 200 to every request.

Guess what, I was right.

I repeated the cURL call omitting the -I option (retrieve headers only) and saw the entire response body: in a table, beautiful as the sun, VAT number not found.

So, if I need to verify the existence of a VAT number with the tools provided by my govern, I need to parse an entire HTML document, look for a DOM element ( table#feedback > td and stuff like that ), parse the resulting string and… oh, I’m already annoyed by describing the steps to do it!

Take a look at the pseudo-code for this implementation:

1
2
3
4
5
6
7
8
9
10
11
12
13
vat = request.get('vat')
vatVerifyService = new ItalianGovernVatService

vatResponse = vatVerifyService.check(vat)

if (vatResponse) {
  body = varResponse.getBody()

  // parse the body
  // look for a DOM attribute,
  // which will change as they update the website with a new fancy markup
  // then evaluate the resulting string
}

and your code if you keep HTTP in consideration:

1
2
3
4
5
vat = request.get('vat')
vatVerifyService = new ItalianGovernVatService

vatResponse = vatVerifyService.check(vat)
// vatResponse.getCode() tells you if the VAT is good or not

Ok, this resource is not intended to be a machine-consumed service but:

Adapt your resources and domain application protocols to HTTP: this is the only way to save your and your consumers’ money and time in the modern web.


Hi there! I recently wrote an ebook on web application security, currently sold on leanpub, the Amazon Kindle store and gumroad.

It contains 160+ pages of content dedicated to securing web applications and improving your security awareness when building web apps, with chapters ranging from explaining how to secure HTTP cookies with the right flags to understanding why it is important to consider joining a bug bounty program.

Feel free to skim through some of the free chapters published on this blog and, if the content seems interesting enough to you, grab a copy on leanpub, the Amazon Kindle store, gumroad or simply checkout right down below!

Buy the Web Application Security ebook for $6.99

In the mood for some more reading?

...or check the archives.