If you browse with a ZAP associated browser then I assume the https connection is with ZAP.
You should only be concerned if you browse with a different browser than one associated ZAP and then same occurs. ** Martin pe 27. toukok. 2022 klo 12.46 Arunachalam Sibisakkaravarthi ( [email protected]) kirjoitti: > We Use HTTPS with TLS. > Our app has login authentication. > I am not sure whether it is valid concern or not > I just explain the steps that I followed > > 1. Wicket app runs on 8443 with https with tls > 2. Owasp ZAP tool runs on 8080 > 3. Start a browser from ZAP with configured app url eg: > https://localhost:8443 > 4. Login page is displayed > 5. Entered credentials and login successful > 6. I have a form with a name text field and an ajax submit button > 7. Enter a value "Foo" into name field > 8. Click the break point in ZAP > 9. Then click the ajax submit button > 10. Now the request details shown in clear text on ZAP window (eg: > _csrf=fc786e60-6be2-5ce3-9f8a-f98679c3bf0d&p%3A%3Aname=Foo) > 11. I changed the name value to "Bar" in ZAP > 12. Now I click a button in ZAP to proceed the request > 13. It is saved successfully with the value "Bar" in the Wicket > application. > > Here the user entered "Foo" whereas in the application "Bar" stored. > > Is this a valid concern? > > > > > *Thanks And RegardsSibi.ArunachalammCruncher* > > > On Fri, May 27, 2022 at 4:20 PM Korbinian Bachl < > [email protected]> wrote: > > > Use HTTPS with TLS > > > > Also note: if you or your service operates within the EU and you dont > > secure this via encryption you are violating the GDPR! > > > > > > ----- Ursprüngliche Mail ----- > > > Von: "Arunachalam Sibisakkaravarthi" <[email protected]> > > > An: "users" <[email protected]> > > > Gesendet: Freitag, 27. Mai 2022 09:27:14 > > > Betreff: prevent client request being intercepted for attack > > > > > Hi guys, > > > Form submission requests can be intercepted using a third party tool > (eg: > > > ZAP) to change the data. Is there a way to prevent this attack? How do > we > > > validate data integrity? > > > > > > > > > > > > *Thanks And RegardsSibi.ArunachalammCruncher* > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > >
