You say you are using hidden fields to store these important values (e.g. auditid). In this case, your design is inherently insecure as someone can just edit the HTML page and submit it with a different value in that hidden field, thereby gaining access to the wrong audit data through the POST method, without making any changes to the URL. If you want to keep this secure you should look at ways of tracking the user and their auditid through a non-client based interaction: probably best done using sessions on the server side. That way all the information they shouldn't be able to edit is never sent to the client, so there is no risk of them being able to mung the data and get the wrong info. As a general rule, never believe anything that comes back from the client: data from the client is tainted, and should not be used to access secure information. There's an argument that sessions don't really overcome this problem, as it's possible (though difficult) to hijack a session: this is still a much more secure solution though.
--Chris -----Original Message----- From: A mailing list about Java Server Pages specification and reference [mailto:[EMAIL PROTECTED]]On Behalf Of Vibha Jindal Sent: Wednesday, October 31, 2001 10:01 PM To: [EMAIL PROTECTED] Subject: Security Issue - Urgent Hi, I am using the Post method to submit my form to a Servlet. I am also using hidden variables to set certain values that I get and interpret in my servlet. e.g., function undoData() { document.Form.hdFlagAction.value = "0"; document.Form.hdAuditId = "1234 document.Form.method = 'POST'; document.Form.action = "/NASApp/wisper/AuAuditorsSrv"; document.Form.submit(); } Now, all that is displayed in the URL is, http://157.227.15.228/NASApp/wisper/AuAuditorsSrv But, if the user just changes teh URL, e.g., makes it http://157.227.15.228/NASApp/wisper/AuAuditorsSrv?hdAuditId=1007, he can see the details of the AuditId 1007, though, since this wasn't his audit, he shouldn't have been able to see these details. Can anyone please help me and let me know, if I can do something in my servlet to ignore all that the user enters in the URL ? Regards, Vibha =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
