Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
The moose likes Servlets and the fly likes How to deal with Parameter Tampering Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to deal with Parameter Tampering" Watch "How to deal with Parameter Tampering" New topic
Author

How to deal with Parameter Tampering

ajay mittal
Greenhorn

Joined: Nov 23, 2011
Posts: 24
Hi Guys,

I have created a servlet whose both doGet and doPost method make call to a doProcess method. In this method i have fetched the parameters passed in URL and have even made checks for whether they are null or not. I have used a plugin of Lapse+ to determine vulnerability sources (security threats) as per java coding standards. While using the plugin it is showing PARAMETER TAMPERING for using request.getParameter(). Does anyone have a solution for it because as per java coding standards it is not a valid way to obtain values.

Regards,
Ajay
Devaka Cooray
ExamLab Creator
Saloon Keeper

Joined: Jul 29, 2008
Posts: 3019
    
  35

I'm not sure how you relate this with Java coding standards. Getting a parameter value using from request.getParameter(-) does not lead in any possibility of parameter tampering attack unless you use the obtained value in a vulnerable way - say, passing it to the 'sensitive' business without having proper validation. I'm not sure if that plugin performs some static validations or attempts to discover vulnerabilities at the runtime of the application. The best practice of using an analyzer should not be to make that tool happy - see what it reports and why so is reported.


Author of ExamLab ExamLab - a free SCJP / OCPJP exam simulator
What would SCJP exam questions look like? -- Home -- Twitter -- How to Ask a Question
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to deal with Parameter Tampering
 
Similar Threads
How many lines of code should a java function have
Coding Standards
can't access finalize() method !!!
The value for the useBean class attribute name is invalid.
Possible ways of accessing a session