This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Security and the fly likes Preventing url hacking in a Spring/Struts application Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Preventing url hacking in a Spring/Struts application" Watch "Preventing url hacking in a Spring/Struts application" New topic
Author

Preventing url hacking in a Spring/Struts application

Per-Olof Vallin
Greenhorn

Joined: Aug 25, 2008
Posts: 3
Hi

I am developing a web application based on Struts2, Spring and Hibernate. We are using spring security for authentication control, ssl etc.

Now, I need to secure the application against what I think is called url hacking. For instance, if the customer with customerId 1 is logged in and viewing his profile, the following http get variable will be visible in the address field: customerId=1.
I need to prevent a customer from being able to set customerId=2 and see the profile of another customer.

How is this best achieved?

I've so far looked at Spring Security's Access Control List functionality and thought of the possibility to implement a Struts interceptor to check an action's customerId, but I'm not sure if either of these options is the way to go.

Any sugggestions/comments?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41060
    
  43
Welcome to JavaRanch.

I'd strongly advise never to make any IDs directly visible to the client, at least not in an unencrypted form.

How about using a session that keeps that ID on the server side?


Ping & DNS - my free Android networking tools app
Per-Olof Vallin
Greenhorn

Joined: Aug 25, 2008
Posts: 3
I'm not sure I made myself clear here.
We are not displaying the id of the user that is logged in, this id is stored in a session.

Let me give another example.
Each customer has a number of orders. When a customer is viewing an order, the orderId is visible in the url. This is the id I don't want a customer to be able to tamper with. If a customer changes the orderId to an id of an order belonging to another customer, access should be denied.

Do you advise against displaying this id in the url as well?
[ November 06, 2008: Message edited by: P-O Vallin ]
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41060
    
  43
Yes, by "user-visible" I meant the URL (as well as form fields, hidden or not). A better phrase would be "anything that's round-tripped from the server to the client, and then back to the server". That's susceptible to tampering, and someone WILL do it.
Per-Olof Vallin
Greenhorn

Joined: Aug 25, 2008
Posts: 3
Thanks for the tip.
I'll have a look at that.
ekansh singh
Greenhorn

Joined: Mar 05, 2009
Posts: 5
Hi .. I am also having some similar problem. I am developing a prototype application using Stuts - MySql
I hope this is called URL hacking.

imagine this is the application
DATABASE


Now on first page of application user is given a welcome/login screen
on sucessful login employee page is displayed which shows a hyperlink VIEWLOAN
on clicking VIEWLOAN loan page is displayed

now the catch in my application is when on user page(just previous page) i click on view source code of HTML it gives the

URL of VIEWLOAN link which is ,say, http://abc/ShowLoan.action?loanID=23

any one can copy this link and paste in its browser even without logging into application
and the loan details will be displayed

Cos the method mapped with "ShowLoan" in struts file simply obtain data from Database and send it to JSP page

no checking of user id is done and i Dont know how to do it either

I thought of mainting a session So on successful login i put


but even then if some one put this URL in its browser , method mapped with ShowLoan has got nothing to check session attribute against any thing.

one way
I can check if session is not null.. any on login can check some one else detail cos session wont be null

other way
session.getAttribute("user_id")should be checked against what

should i maintain cookie and session both to check for the user
some thing like

session.getAttribute("user_id").equals(retrive cookie attribute user_id)

Help

Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

Ulf Dittmer wrote:Yes, by "user-visible" I meant the URL (as well as form fields, hidden or not). A better phrase would be "anything that's round-tripped from the server to the client, and then back to the server". That's susceptible to tampering, and someone WILL do it.


What @ulf said.

Never trust the client software. Never ever! Perhaps you are talking to a browser, or perhaps you are talking to a program that a bad guy wrote that pretends to be a browser.
Milind Mahajan
Ranch Hand

Joined: Oct 23, 2000
Posts: 77
A bit late into the discussion but hope to get some feedback on my thoughs. Thanks in advance.

Similar issue again.

In a web application, when a user visits a students list page, the screen shows list of student names with hyperlinks. Only those student names are shown which the user is allowed to see. When user clicks on the hyperlink, a new window opens showing the details of the user. The child window's address bar shows the url as follows.

http://myhost:8080/studentID=100

The problem is that the user could change the value of parameter studentID and get the details of some other student which he/she is not eligible to see (hence not shown in the previous list screen). This is a security issue - url manipulation.

I could think of some the ways we could prevent this.

a. Hide the address bar in the child screen.
b. Change the query which fetches the student details to include a clause which checks the eligibility of the logged in user.
c. Put the student IDs fetched in the previous list screen in session and make sure the details are shown only for those student IDs.
d. Do not pass studentID in the url parameter. Post it.

Are there any other ways? Which of these is a better way and why?

Thanks,
-Milind
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

Milind Mahajan wrote:Are there any other ways? Which of these is a better way and why?


Again, never trust the client.

Rather than sending the real ID value, generate a nonce, use the nonce as the key to a hashmap. Send the nonce.

http://myhost:8080/?nonce=1985234234g134

When you get the request, lookup the nonce in the hashmap, get the key
Milind Mahajan
Ranch Hand

Joined: Oct 23, 2000
Posts: 77
Thanks Pat. Agreed.

But what if I have lots of code already written which is passing the parameters in url similar to what I mentioned. While it is true that the code has to be re-written to do the nonce thing you suggested, in the short term, wouldn't url hiding or using 'POST' method (because I think these can possibly be done easily compared to nonce stuff and remove the 'user-visible' part) make misusing the urls atleast slightly more difficult? If so, then we could buy some time and do the right fix in the days/months to some. Any thoughts on this?

Thanks,
-Milind
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

using a POST rather than a GET is slightly more secure, but not much. Any proxy will show the "hidden" information. With firefox, there is a wonderful plugin, httpfox, that works great.

Sadly, if you care about more than token trivial security, you have to not trust the user.

Tell your boss its called "re-factoring for security"
Milind Mahajan
Ranch Hand

Joined: Oct 23, 2000
Posts: 77
Thanks again.

Tell your boss its called "re-factoring for security"


I did :-)
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

Milind Mahajan wrote:I did :-)

I know that song.

Install httpfox into your firefox, turn it on, and look at what you can see. Its amazing.
It might even help the boss understand.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41060
    
  43
Milind Mahajan wrote:But what if I have lots of code already written which is passing the parameters in url similar to what I mentioned.

You'll have to check on the server side if the user that's logged in actually has the privileges to see the information they're requesting (in other words, somehow you need to check the studentID against the list of IDs this user is allowed to see). Yes, it seems like double work. No, you can't avoid it.
Milind Mahajan
Ranch Hand

Joined: Oct 23, 2000
Posts: 77
Thanks.

This is pretty much what I am doing now - similar to my options b and c in the initial post.

-Milind
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Preventing url hacking in a Spring/Struts application
 
Similar Threads
constructor with array type.
Someone Must Have an Example Like This!
what is the problem here?
trying to call a method but cannot find symbol
what am I doing wrong? help please