• Post Reply Bookmark Topic Watch Topic
  • New Topic

URL Tampering  RSS feed

 
Dharmendra Sable
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
WhenI submit the page, user can tamper the request parameters by using some URL tamparing tools which are freely available on net. Is it possible to check whether URL is tampered when request reaches the servlet?

Regards,
Dharmendra.
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well your Servlet knows the request it is there to service. What tampering are you worried about?
 
Dharmendra Sable
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul Sturrock wrote:Well your Servlet knows the request it is there to service. What tampering are you worried about?



I mean changing the values of the parameters.
e.g pClientId=X is the original value of the parameter pClientId. But hacker can interrupt the request & change the value of pClientId as X' or 'A' = 'A
This value is being used in the SQL, as a result query will fetch all the client records.
One way to avoid this is to sanitise the data for special characters. But there may be other ways to send un-authenticate data in request. Thats why I am checking whether it is possible to identify tampered request.
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If for some reason you can't check the validity of parameters on the server, you can either encrypt the parameters, or keep them in a session on the server.
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13078
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What is generating the request?

If plain HTML forms then your servlet MUST perform checking/sanitizing of ALL parameters before they get used. Surely your application knows what kind of operations users are allowed to perform.

Bill

  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!