WhenI submit the page, user can tamper the request parameters by using some URL tamparing tools which are freely available on net. Is it possible to check whether URL is tampered when request reaches the servlet?
Paul Sturrock wrote:Well your Servlet knows the request it is there to service. What tampering are you worried about?
I mean changing the values of the parameters.
e.g pClientId=X is the original value of the parameter pClientId. But hacker can interrupt the request & change the value of pClientId as X' or 'A' = 'A
This value is being used in the SQL, as a result query will fetch all the client records.
One way to avoid this is to sanitise the data for special characters. But there may be other ways to send un-authenticate data in request. Thats why I am checking whether it is possible to identify tampered request.
If for some reason you can't check the validity of parameters on the server, you can either encrypt the parameters, or keep them in a session on the server.
William Brogden
,
Author and all-around good cowpoke
If plain HTML forms then your servlet MUST perform checking/sanitizing of ALL parameters before they get used. Surely your application knows what kind of operations users are allowed to perform.
Bill
Post by:autobot
Where all the women are strong, all the men are good looking and all the tiny ads are above average:
a bit of art, as a gift, that will fit in a stocking