• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

securing the data tempering by intercepting the http request

 
Ranch Hand
Posts: 278
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all

My webapp is based in spring framework and front end with jsp/javascript.
We have security issues and need some help on technology.
How can i prevent data tampering by intercepting the http request?One solution is to
put everything in session but its a big modification.
Also i believe spring security must have something to prevent this kind od data modification but i have no knowledge
to that.
I do have server side validation to invalidate bad-characters entered before db updations.

1.But what if data travels(entered) from one page to another(rendered) (no DB insertions yet) is modified inbetween by intercepting request.
2.Also if a list from DB is being rendering in a table format but before rendering, its altered and wrong data is rendered on display.


Please suggest.
 
Saloon Keeper
Posts: 7585
176
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's not entirely clear to me what you are trying to protect against, but it sounds as if you're trying to bolt security on top of an existing web app after the fact. That is generally the wrong approach, and will more often than not result in at least partially insecure systems.

For starters, all data received from the client is suspect, and must be considered tainted. If you're round-tripping IDs, you need to check that the particular client is authorized to access data associated with that ID (because it may have been tampered with), just as an example. You need to consider authentication and possibly encryption. You need to guard against XSS and SQL injection. Etc. etc.

Start reading here: https://coderanch.com/how-to/java/SecurityFaq#web-apps
 
Lucky J Verma
Ranch Hand
Posts: 278
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Tim for replying back .

I will go little furthur we we have done and what are the situations we are facing.

In webapp, at most places we have POST request ,and spring encryption for URL params/GET request.
Each input field is filtered or validated at client side for any javascript/Xss/SQL kind of statements and also at the server side.
Anyone can intercept HTTP request and change the data. But we are safe in case of bad data(bad characters) going to db because of server side filtering.
This is current security implementation and obviously not enough.

case 1. data coming from db into a list and list is rendered on jsp page. Request is intercepted and data is modified and XSS added eg
<iframe>http://yahoo.com</iframe>; and that is rendered on jsp page.
case 2. i enter some input value - "xyz" on a form on jsp page and it is passed to next jsp page and rendered (through model attributes) and inbetter modified by intercepting hhtp request.Modified value is being rendered on 2nd jsp. It could contain <iframe> too.

How to protect from such cases?Is SSL a solution?Should we put validations on output data too?Is it right approach?
 
Danger, 10,000 volts, very electic .... tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic