jQuery in Action, 2nd edition*
The moose likes Servlets and the fly likes How to deal with Parameter Tampering Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to deal with Parameter Tampering" Watch "How to deal with Parameter Tampering" New topic
Author

How to deal with Parameter Tampering

ajay mittal
Greenhorn

Joined: Nov 23, 2011
Posts: 24
Hi Guys,

I have created a servlet whose both doGet and doPost method make call to a doProcess method. In this method i have fetched the parameters passed in URL and have even made checks for whether they are null or not. I have used a plugin of Lapse+ to determine vulnerability sources (security threats) as per java coding standards. While using the plugin it is showing PARAMETER TAMPERING for using request.getParameter(). Does anyone have a solution for it because as per java coding standards it is not a valid way to obtain values.

Regards,
Ajay
Devaka Cooray
ExamLab Creator
Saloon Keeper

Joined: Jul 29, 2008
Posts: 3013
    
  35

I'm not sure how you relate this with Java coding standards. Getting a parameter value using from request.getParameter(-) does not lead in any possibility of parameter tampering attack unless you use the obtained value in a vulnerable way - say, passing it to the 'sensitive' business without having proper validation. I'm not sure if that plugin performs some static validations or attempts to discover vulnerabilities at the runtime of the application. The best practice of using an analyzer should not be to make that tool happy - see what it reports and why so is reported.


Founder of ExamLab and Systemup
See how I can help you to become an awesome programmer
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to deal with Parameter Tampering
 
Similar Threads
How many lines of code should a java function have
Coding Standards
can't access finalize() method !!!
The value for the useBean class attribute name is invalid.
Possible ways of accessing a session