I am developing a web application based on Struts2, Spring and Hibernate. We are using spring security for authentication control, ssl etc.
Now, I need to secure the application against what I think is called url hacking. For instance, if the customer with customerId 1 is logged in and viewing his profile, the following http get variable will be visible in the address field: customerId=1. I need to prevent a customer from being able to set customerId=2 and see the profile of another customer.
How is this best achieved?
I've so far looked at Spring Security's Access Control List functionality and thought of the possibility to implement a Struts interceptor to check an action's customerId, but I'm not sure if either of these options is the way to go.
I'm not sure I made myself clear here. We are not displaying the id of the user that is logged in, this id is stored in a session.
Let me give another example. Each customer has a number of orders. When a customer is viewing an order, the orderId is visible in the url. This is the id I don't want a customer to be able to tamper with. If a customer changes the orderId to an id of an order belonging to another customer, access should be denied.
Do you advise against displaying this id in the url as well? [ November 06, 2008: Message edited by: P-O Vallin ]
Joined: Mar 22, 2005
Yes, by "user-visible" I meant the URL (as well as form fields, hidden or not). A better phrase would be "anything that's round-tripped from the server to the client, and then back to the server". That's susceptible to tampering, and someone WILL do it.
Ulf Dittmer wrote:Yes, by "user-visible" I meant the URL (as well as form fields, hidden or not). A better phrase would be "anything that's round-tripped from the server to the client, and then back to the server". That's susceptible to tampering, and someone WILL do it.
What @ulf said.
Never trust the client software. Never ever! Perhaps you are talking to a browser, or perhaps you are talking to a program that a bad guy wrote that pretends to be a browser.
A bit late into the discussion but hope to get some feedback on my thoughs. Thanks in advance.
Similar issue again.
In a web application, when a user visits a students list page, the screen shows list of student names with hyperlinks. Only those student names are shown which the user is allowed to see. When user clicks on the hyperlink, a new window opens showing the details of the user. The child window's address bar shows the url as follows.
The problem is that the user could change the value of parameter studentID and get the details of some other student which he/she is not eligible to see (hence not shown in the previous list screen). This is a security issue - url manipulation.
I could think of some the ways we could prevent this.
a. Hide the address bar in the child screen.
b. Change the query which fetches the student details to include a clause which checks the eligibility of the logged in user.
c. Put the student IDs fetched in the previous list screen in session and make sure the details are shown only for those student IDs.
d. Do not pass studentID in the url parameter. Post it.
Are there any other ways? Which of these is a better way and why?
When you get the request, lookup the nonce in the hashmap, get the key
Joined: Oct 23, 2000
Thanks Pat. Agreed.
But what if I have lots of code already written which is passing the parameters in url similar to what I mentioned. While it is true that the code has to be re-written to do the nonce thing you suggested, in the short term, wouldn't url hiding or using 'POST' method (because I think these can possibly be done easily compared to nonce stuff and remove the 'user-visible' part) make misusing the urls atleast slightly more difficult? If so, then we could buy some time and do the right fix in the days/months to some. Any thoughts on this?
Install httpfox into your firefox, turn it on, and look at what you can see. Its amazing.
It might even help the boss understand.
Joined: Mar 22, 2005
Milind Mahajan wrote:But what if I have lots of code already written which is passing the parameters in url similar to what I mentioned.
You'll have to check on the server side if the user that's logged in actually has the privileges to see the information they're requesting (in other words, somehow you need to check the studentID against the list of IDs this user is allowed to see). Yes, it seems like double work. No, you can't avoid it.
Joined: Oct 23, 2000
This is pretty much what I am doing now - similar to my options b and c in the initial post.