We Use HTTPS with TLS. Our app has login authentication. I am not sure whether it is valid concern or not I just explain the steps that I followed
1. Wicket app runs on 8443 with https with tls 2. Owasp ZAP tool runs on 8080 3. Start a browser from ZAP with configured app url eg: https://localhost:8443 4. Login page is displayed 5. Entered credentials and login successful 6. I have a form with a name text field and an ajax submit button 7. Enter a value "Foo" into name field 8. Click the break point in ZAP 9. Then click the ajax submit button 10. Now the request details shown in clear text on ZAP window (eg: _csrf=fc786e60-6be2-5ce3-9f8a-f98679c3bf0d&p%3A%3Aname=Foo) 11. I changed the name value to "Bar" in ZAP 12. Now I click a button in ZAP to proceed the request 13. It is saved successfully with the value "Bar" in the Wicket application. Here the user entered "Foo" whereas in the application "Bar" stored. Is this a valid concern? *Thanks And RegardsSibi.ArunachalammCruncher* On Fri, May 27, 2022 at 4:20 PM Korbinian Bachl < korbinian.ba...@whiskyworld.de> wrote: > Use HTTPS with TLS > > Also note: if you or your service operates within the EU and you dont > secure this via encryption you are violating the GDPR! > > > ----- Ursprüngliche Mail ----- > > Von: "Arunachalam Sibisakkaravarthi" <arunacha...@mcruncher.com> > > An: "users" <users@wicket.apache.org> > > Gesendet: Freitag, 27. Mai 2022 09:27:14 > > Betreff: prevent client request being intercepted for attack > > > Hi guys, > > Form submission requests can be intercepted using a third party tool (eg: > > ZAP) to change the data. Is there a way to prevent this attack? How do we > > validate data integrity? > > > > > > > > *Thanks And RegardsSibi.ArunachalammCruncher* > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
