Topic
  • 1 reply
  • Latest Post - ‏2013-10-24T13:47:40Z by devtfl
GregWilhelm
GregWilhelm
3 Posts

Pinned topic NetSuite Denial Of Service Issue

‏2012-01-20T05:56:43Z |
I noticed a fairly obvious attack vector when working with the Cast Iron NetSuite endpoint. Cast Iron connects to NetSuite SuiteTalk using a standard NetSuite account. However, since the NetSuite login screen is publicly available, anyone that knows the account name (email address) that Cast Iron is using to authenticate with NetSuite can simply attempt to login into NetSuite with six bad passwords and the NetSuite account locks. This effectively breaks any Cast Iron to NetSuite SuiteTalk orchestrations.

I realize that this is not necessarily a Cast Iron problem, but obviously this is not acceptable for enterprise use. Any internet user can take down these orchestrations with an email address. They don't even have to know the password. Does Cast Iron support any other way to connect to NetSuite?
  • devtfl
    devtfl
    1 Post

    Re: NetSuite Denial Of Service Issue

    ‏2013-10-24T13:47:40Z  

    This isn't really a Cast Iron issue, it's true of any use of the NetSuite web service. The issue leads to a broader set of problems with the NetSuite web service architecture. NetSuite does not support an API Key or token type of authentication.

    It also relies on user based passwords. Since these expire in NetSuite by default every 90 days (unless the setting is changed) this also causes issues with the login for a web services call. Once that password expires, the integration will lock the account. NetSuite will have to address these issues eventually. Until then, don't disclose your username and passwords to anyone you think may crash your integration.