This week's giveaway is in the EJB and other Java EE Technologies forum. We're giving away four copies of EJB 3 in Action and have Debu Panda, Reza Rahman, Ryan Cuprak, and Michael Remijan on-line! See this thread for details.
We have security issues and need some help on technology.
How can i prevent data tampering by intercepting the http request?One solution is to
put everything in session but its a big modification.
Also i believe spring security must have something to prevent this kind od data modification but i have no knowledge
I do have server side validation to invalidate bad-characters entered before db updations.
1.But what if data travels(entered) from one page to another(rendered) (no DB insertions yet) is modified inbetween by intercepting request.
2.Also if a list from DB is being rendering in a table format but before rendering, its altered and wrong data is rendered on display.
It's not entirely clear to me what you are trying to protect against, but it sounds as if you're trying to bolt security on top of an existing web app after the fact. That is generally the wrong approach, and will more often than not result in at least partially insecure systems.
For starters, all data received from the client is suspect, and must be considered tainted. If you're round-tripping IDs, you need to check that the particular client is authorized to access data associated with that ID (because it may have been tampered with), just as an example. You need to consider authentication and possibly encryption. You need to guard against XSS and SQL injection. Etc. etc.
I will go little furthur we we have done and what are the situations we are facing.
In webapp, at most places we have POST request ,and spring encryption for URL params/GET request.
Anyone can intercept HTTP request and change the data. But we are safe in case of bad data(bad characters) going to db because of server side filtering.
This is current security implementation and obviously not enough.
case 1. data coming from db into a list and list is rendered on jsp page. Request is intercepted and data is modified and XSS added eg
<iframe>http://yahoo.com</iframe> and that is rendered on jsp page.
case 2. i enter some input value - "xyz" on a form on jsp page and it is passed to next jsp page and rendered (through model attributes) and inbetter modified by intercepting hhtp request.Modified value is being rendered on 2nd jsp. It could contain <iframe> too.
How to protect from such cases?Is SSL a solution?Should we put validations on output data too?Is it right approach?