aspose file tools*
The moose likes Security and the fly likes securing the data tempering by intercepting the http request Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "securing the data tempering by intercepting the http request" Watch "securing the data tempering by intercepting the http request" New topic
Author

securing the data tempering by intercepting the http request

Lucky J Verma
Ranch Hand

Joined: Apr 11, 2007
Posts: 278
Hi all

My webapp is based in spring framework and front end with jsp/javascript.
We have security issues and need some help on technology.
How can i prevent data tampering by intercepting the http request?One solution is to
put everything in session but its a big modification.
Also i believe spring security must have something to prevent this kind od data modification but i have no knowledge
to that.
I do have server side validation to invalidate bad-characters entered before db updations.

1.But what if data travels(entered) from one page to another(rendered) (no DB insertions yet) is modified inbetween by intercepting request.
2.Also if a list from DB is being rendering in a table format but before rendering, its altered and wrong data is rendered on display.


Please suggest.
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
It's not entirely clear to me what you are trying to protect against, but it sounds as if you're trying to bolt security on top of an existing web app after the fact. That is generally the wrong approach, and will more often than not result in at least partially insecure systems.

For starters, all data received from the client is suspect, and must be considered tainted. If you're round-tripping IDs, you need to check that the particular client is authorized to access data associated with that ID (because it may have been tampered with), just as an example. You need to consider authentication and possibly encryption. You need to guard against XSS and SQL injection. Etc. etc.

Start reading here: http://www.coderanch.com/how-to/java/SecurityFaq#web-apps
Lucky J Verma
Ranch Hand

Joined: Apr 11, 2007
Posts: 278
Thanks Tim for replying back .

I will go little furthur we we have done and what are the situations we are facing.

In webapp, at most places we have POST request ,and spring encryption for URL params/GET request.
Each input field is filtered or validated at client side for any javascript/Xss/SQL kind of statements and also at the server side.
Anyone can intercept HTTP request and change the data. But we are safe in case of bad data(bad characters) going to db because of server side filtering.
This is current security implementation and obviously not enough.

case 1. data coming from db into a list and list is rendered on jsp page. Request is intercepted and data is modified and XSS added eg
<iframe>http://yahoo.com</iframe> and that is rendered on jsp page.
case 2. i enter some input value - "xyz" on a form on jsp page and it is passed to next jsp page and rendered (through model attributes) and inbetter modified by intercepting hhtp request.Modified value is being rendered on 2nd jsp. It could contain <iframe> too.

How to protect from such cases?Is SSL a solution?Should we put validations on output data too?Is it right approach?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: securing the data tempering by intercepting the http request