It is possible to capture the latest post in the browser and replay with a different UUID. Then you end up with two submits/records.
This not a desired behavior, as it bypasses logic in the form. We would like to have the uuid's generated only by the backend as a possible solution.
It is possible to submit a form, more than 1 time, with a different UUID. The UUID can be generated by the submitting program (e.g. you can just made it up yourself).
To reproduce:
Use a tool like the Burp suite to record the request.
-
Fill in a form all the way until the submission complete screen
this is a DTO specific flow. Reproducing it can be done by just submitting a form.
-
Search for the following POST, GET, POST requests:
8638 https://domainname.com POST /gzi-adapter-leap/submission
8637 https://domainname.com GET /forms/secure/org/status/xxxxxxxxxxxxx
8635 https://domainname.com POST /forms/secure/org/data/xxxxxxxxxxxxxxx
Be aware though: the first POST to /gzi-adapter-leap/submission is a DTO specific flow implementation. This generates the PDF, which is mentioned next.
The other calls are LEAP specific.
4. Repeat the POST with ID 8635 (/forms/secure/org/data/...), overwrite the UUID in the repeated POST and press SEND.
5. Repeat the second GET request with ID 8637 with the new UUID.
6. A new form has been submitted with identical data.
Refer to the case for the uploaded screenshots (PDF).
