This week's book giveaway is in the Design forum.
We're giving away four copies of Design for the Mind and have Victor S. Yocco on-line!
See this thread for details.
Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to deal with Parameter Tampering

 
ajay mittal
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Guys,

I have created a servlet whose both doGet and doPost method make call to a doProcess method. In this method i have fetched the parameters passed in URL and have even made checks for whether they are null or not. I have used a plugin of Lapse+ to determine vulnerability sources (security threats) as per java coding standards. While using the plugin it is showing PARAMETER TAMPERING for using request.getParameter(). Does anyone have a solution for it because as per java coding standards it is not a valid way to obtain values.

Regards,
Ajay
 
Devaka Cooray
ExamLab Creator
Marshal
Pie
Posts: 4319
236
Chrome Eclipse IDE Google App Engine IntelliJ IDE jQuery Postgres Database Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not sure how you relate this with Java coding standards. Getting a parameter value using from request.getParameter(-) does not lead in any possibility of parameter tampering attack unless you use the obtained value in a vulnerable way - say, passing it to the 'sensitive' business without having proper validation. I'm not sure if that plugin performs some static validations or attempts to discover vulnerabilities at the runtime of the application. The best practice of using an analyzer should not be to make that tool happy - see what it reports and why so is reported.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic