Secure way to send a mail via a (Restful) Webservice

Question

I have a AngularJS Webapplication with Java Backend.

Now i want to send a mail out of the Angular Application. I thought the best way is to send a post or get request to the webservice and send the Mail via an internal smtp server to the recipient.

But i think there is a big security problem with this concept. When i create a webservice call like: /api/mail?mailto=john@doe.com someone can take the link to the webservice, change the recipient and take this link to start spamming to other people.

Do someone know a secure way for this architecture to send a mail via a webservice? It is necessary that i have to pass the recipient to the mail service, because the user set this in the AngularJS UI.

I am happy about any suggestion.

mirmdasif · Answer 1 · 2017-09-20T07:34:20.747

0

Here are the security measures you should take for securing your rest api. REST Security Cheat Sheet Here is the list of security measures you should take for your rest API.

HTTPS
Access Control - For access control, you can API keys, OAuth, etc. take a look at this article https://stormpath.com/blog/secure-your-rest-api-right-way
Restrict HTTP methods - Can be handled in controller.
Security headers - Use proper security header to prevent CORS, CSRF attack. (The attack you specified in your question). Have look in this article https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html.
Pass Sensitive information in HTTP POST request

If you use spring-security you will be covered in most of this.

edited Sep 20 '17 at 07:34

answered Sep 20 '17 at 07:13

mirmdasif

6,014
2
22
28

The webservice is the backend for a public webapplication. How can i put an authentication on it without asking for credentials or without to put a application hash or something like that into the javascript code? – Hannes Sep 20 '17 at 07:19
Are you saying that your web service is public and has no security measures? – mirmdasif Sep 20 '17 at 07:37
I think i am using the most common thing to secure the webservice: HTTPS, CORS Header, Restrict HTTP Methods, Type safe parameters... But all this dont prevent an Attacker to take the link and start spamming as i described at the top. But thank you for the link. I will have a look on CSRF. But i am not sure if this will prevent the attack i described. – Hannes Sep 20 '17 at 08:23

score 0 · Answer 2 · answered Sep 21 '17 at 22:39

Use Mailgun. You can send 10,000 emails for free you can call the API via your Java backend, like so:

public static ClientResponse SendSimpleMessage() {
    Client client = Client.create();
    client.addFilter(new HTTPBasicAuthFilter(
        "api","key-3ax6xnjp29jd6fds4gc373sgvjxteol0"));
    WebResource webResource = client.resource(
        "https://api.mailgun.net/v3/samples.mailgun.org/messages");
    MultivaluedMapImpl formData = new MultivaluedMapImpl();
    formData.add("from", "Excited User <excited@samples.mailgun.org>");
    formData.add("to", "john@doe.com");
    formData.add("subject", "Hello");
    formData.add("text", "Testing some Mailgun awesomeness!");
    return webResource.type(MediaType.APPLICATION_FORM_URLENCODED).
        post(ClientResponse.class, formData);
}

This would be more secure than your implementation. I would also send the email address from the Angular client to your Java backend as a POST.

Where is the difference if is send the mail to an external mail server or internal? I think there is no difference. But i already thought about it to send the mail address as POST. But i think in the browser network tab i can see the API call to and an attacker can reproduce it... — Hannes, Sep 22 '17 at 07:01
That might be because you are running off localhost if you are running it locally. Maybe take a look at [this article](https://stackoverflow.com/questions/19637459/rest-api-using-post-instead-of-get) — Retro Gamer, Sep 22 '17 at 15:20

Secure way to send a mail via a (Restful) Webservice

2 Answers2