File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes How to deal with Parameter Tampering Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to deal with Parameter Tampering" Watch "How to deal with Parameter Tampering" New topic

How to deal with Parameter Tampering

ajay mittal

Joined: Nov 23, 2011
Posts: 24
Hi Guys,

I have created a servlet whose both doGet and doPost method make call to a doProcess method. In this method i have fetched the parameters passed in URL and have even made checks for whether they are null or not. I have used a plugin of Lapse+ to determine vulnerability sources (security threats) as per java coding standards. While using the plugin it is showing PARAMETER TAMPERING for using request.getParameter(). Does anyone have a solution for it because as per java coding standards it is not a valid way to obtain values.

Devaka Cooray
ExamLab Creator

Joined: Jul 29, 2008
Posts: 3927

I'm not sure how you relate this with Java coding standards. Getting a parameter value using from request.getParameter(-) does not lead in any possibility of parameter tampering attack unless you use the obtained value in a vulnerable way - say, passing it to the 'sensitive' business without having proper validation. I'm not sure if that plugin performs some static validations or attempts to discover vulnerabilities at the runtime of the application. The best practice of using an analyzer should not be to make that tool happy - see what it reports and why so is reported.

Author of ExamLab ExamLab - a free SCJP / OCPJP exam simulator
What would SCJP exam questions look like? -- Home -- Twitter -- How to Ask a Question
I agree. Here's the link:
subject: How to deal with Parameter Tampering
It's not a secret anymore!