Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

forms & security  RSS feed

 
Eric Sexton
Ranch Hand
Posts: 133
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I want a way to protect data that I pre-populate in a JSP form. I don't want a user to be able to look at the source and see the way I format the value of the label that they are seeing. For instance, I have a select with several options. The value and the label for each option are 2 different things and I want to prevent a user figuring HOW I'm sending down the data. It's a common trick hackers will use. What do you think?
 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I would think the only way to protect that is to use javascript to disable the context menu on the web browser. However, a real hacker knows that if you disable javascript, you get the context menu back.
 
Eric Sexton
Ranch Hand
Posts: 133
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I was maybe hoping to do a poor mans version that would at least convert the values to hex or a hashCode or something and then convert it back after submission. Hmmmm.
 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, in ASP.NET (maybe even ASP) they do something like that. But typically to store Session/Cookie information in a hidden field. They are hashed somehow, but not like MD5. You would have to be able to unhash it, like you said.
Worth looking in to anyway. I will see what I can dig up.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65826
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can't really hide it. So you need a different tactic.
If you are worried about hackers submitting faux forms to your site from their own address, your actions can check the referrer of the submission and reject anything that wasn't submitted from your own server. How easy it is to spoof the referrer, I do not know.
A more involved tactic could be to encrypt the values with a per-request key that would change from request to request. Encryption is not my forte so I'll leave it to others (suggest the Other Java APIs fourm) for enryption questions.
There are propbably other tactics that you can use... any one else have suggestions?
bear
 
Eric Sexton
Ranch Hand
Posts: 133
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yeah, I am relying on the firewall to take care of that issue with the faux submissions(it is supposed to protect that), but was hoping to double protect it or at least make it an annoyance for those hoping to submit a wider date range. I'll just make sure my validation is catching any anomolies.
 
Jolly John
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
try salting the data.
 
Eric Sexton
Ranch Hand
Posts: 133
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
huh?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65826
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the Ranch Jolly John!
There aren't many rules you'll have to worry about, but one is that proper names are required. Please take a look at the JavaRanch Naming Policy and change your display name to match it.
Thanks!
bear
JSP Forum Bartender
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65826
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
try salting the data.

Mmmm, tasty. But perhaps a little more detail on that recipe is needed?
bear
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!