Thanks guys for the feedback and clarification.
*Thanks And RegardsSibi.ArunachalammCruncher* On Fri, May 27, 2022 at 6:06 PM Martin Terra < martin.te...@koodaripalvelut.com> wrote: > If you browse with a ZAP associated browser then I assume the https > connection is with ZAP. > > You should only be concerned if you browse with a different browser than > one associated ZAP and then same occurs. > > ** > Martin > > pe 27. toukok. 2022 klo 12.46 Arunachalam Sibisakkaravarthi ( > arunacha...@mcruncher.com) kirjoitti: > > > We Use HTTPS with TLS. > > Our app has login authentication. > > I am not sure whether it is valid concern or not > > I just explain the steps that I followed > > > > 1. Wicket app runs on 8443 with https with tls > > 2. Owasp ZAP tool runs on 8080 > > 3. Start a browser from ZAP with configured app url eg: > > https://localhost:8443 > > 4. Login page is displayed > > 5. Entered credentials and login successful > > 6. I have a form with a name text field and an ajax submit button > > 7. Enter a value "Foo" into name field > > 8. Click the break point in ZAP > > 9. Then click the ajax submit button > > 10. Now the request details shown in clear text on ZAP window (eg: > > _csrf=fc786e60-6be2-5ce3-9f8a-f98679c3bf0d&p%3A%3Aname=Foo) > > 11. I changed the name value to "Bar" in ZAP > > 12. Now I click a button in ZAP to proceed the request > > 13. It is saved successfully with the value "Bar" in the Wicket > > application. > > > > Here the user entered "Foo" whereas in the application "Bar" stored. > > > > Is this a valid concern? > > > > > > > > > > *Thanks And RegardsSibi.ArunachalammCruncher* > > > > > > On Fri, May 27, 2022 at 4:20 PM Korbinian Bachl < > > korbinian.ba...@whiskyworld.de> wrote: > > > > > Use HTTPS with TLS > > > > > > Also note: if you or your service operates within the EU and you dont > > > secure this via encryption you are violating the GDPR! > > > > > > > > > ----- Ursprüngliche Mail ----- > > > > Von: "Arunachalam Sibisakkaravarthi" <arunacha...@mcruncher.com> > > > > An: "users" <users@wicket.apache.org> > > > > Gesendet: Freitag, 27. Mai 2022 09:27:14 > > > > Betreff: prevent client request being intercepted for attack > > > > > > > Hi guys, > > > > Form submission requests can be intercepted using a third party tool > > (eg: > > > > ZAP) to change the data. Is there a way to prevent this attack? How > do > > we > > > > validate data integrity? > > > > > > > > > > > > > > > > *Thanks And RegardsSibi.ArunachalammCruncher* > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > > > > > >
