Forums Register Login

URL Tampering

+Pie Number of slices to send: Send
WhenI submit the page, user can tamper the request parameters by using some URL tamparing tools which are freely available on net. Is it possible to check whether URL is tampered when request reaches the servlet?

Regards,
Dharmendra.
+Pie Number of slices to send: Send
Well your Servlet knows the request it is there to service. What tampering are you worried about?
+Pie Number of slices to send: Send
 

Paul Sturrock wrote:Well your Servlet knows the request it is there to service. What tampering are you worried about?




I mean changing the values of the parameters.
e.g pClientId=X is the original value of the parameter pClientId. But hacker can interrupt the request & change the value of pClientId as X' or 'A' = 'A
This value is being used in the SQL, as a result query will fetch all the client records.
One way to avoid this is to sanitise the data for special characters. But there may be other ways to send un-authenticate data in request. Thats why I am checking whether it is possible to identify tampered request.
+Pie Number of slices to send: Send
If for some reason you can't check the validity of parameters on the server, you can either encrypt the parameters, or keep them in a session on the server.
+Pie Number of slices to send: Send
What is generating the request?

If plain HTML forms then your servlet MUST perform checking/sanitizing of ALL parameters before they get used. Surely your application knows what kind of operations users are allowed to perform.

Bill

Where all the women are strong, all the men are good looking and all the tiny ads are above average:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com


reply
reply
This thread has been viewed 1209 times.
Similar Threads
*.do
core java communicates with servlet or jsp?
redirect ?
Request attribute in servlets
getParameter () method of HttpServletRequest
More...

All times above are in ranch (not your local) time.
The current ranch time is
Mar 28, 2024 23:28:46.