struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maurizio Cucchiara <maurizio.cucchi...@gmail.com>
Subject Re: Security Issue with GET method
Date Thu, 30 Sep 2010 07:50:05 GMT
Hi Raj,
you could get sid value and put inside authentication form to user as
hidden field,  After, when user invoke authentication action, you
could verify if sid value matches with real sessionID value.

look at this url
http://localhost:8080/SecurityTest/login.do?userId=sss&password=sss&step=Login&sessionID=*sessionID*
Which sessionID value should a "malicious" user provide?
Furthermore, you could follow Chris's advice.

May I ask you why is it so important to exclude get method for you?
I'm asking you because It's fairly easy to bypass.

Maurizio Cucchiara

2010/9/30 Orpu <Rajesh.Orpu@broadridge.com>:
>
> Hi ,
>
> Can you please be more specific. I did not get you. When i click the button
> and go to action it has sessionID. I will put it in form hidden value. But
> what happens when i paste the url in browse which goes to action with GET
> method and has session Id.
>
> Can you please elaborate it more.
>
> Thanks,
> Raj
>
>
> Maurizio Cucchiara wrote:
>>
>> Hi,
>> you could obtain session id through session.getId() and put it inside
>> the form as hidden field, after you could verify the correctness.
>>
>> did I answer your question?
>>
>> Maurizio Cucchiara
>>
>>
>>
>> 2010/9/29 Orpu <Rajesh.Orpu@broadridge.com>:
>>>
>>> Hi All,
>>>
>>> My application is developed using struts framework. Where it takes user
>>> id
>>> and password at the time of login and goes to next page. I am using
>>> method="POST" when i am invoking action class as below.
>>> [b]
>>> <html:form action="/login.do" method="POST">
>>>
>>> Basically i dont have any problem when i am logging after giving user id
>>> and
>>> password.
>>>
>>> But i am having security concerns when i am sending user id and password
>>> in
>>> url as below
>>>
>>> http://localhost:8080/SecurityTest/login.do?userId=sss&password=sss&step=Login
>>>
>>> With the use of above url in the browser is successfully taking me to the
>>> next page.
>>>
>>> Can any one please help me. How to protect application in this scenario.
>>>
>>> I tried to solve this issue by definig security - constriants in web.xml
>>> file as below
>>>
>>>                    <security-constraint>
>>>                <web-resource-collection>
>>>                        <web-resource-name>Protected Area with
>>> GET</web-resource-name>
>>>                        <url-pattern>*/login.do</url-pattern>
>>>                        <http-method>GET</http-method>
>>>                </web-resource-collection>
>>>                <auth-constraint/>
>>>        </security-constraint>
>>> One more thing i should not put restrictions to other GET methods which
>>> were
>>> in the entire application. I should only restrict at the time of loging.
>>>
>>> I know the url-pattern that i am using may resolve this issue.  But what
>>> is
>>> the correct pattern i have to use.
>>>
>>> Please help me.
>>>
>>> Thanks
>>> Raj
>>> --
>>> View this message in context:
>>> http://old.nabble.com/Security-Issue-with-GET-method-tp29838122p29838122.html
>>> Sent from the Struts - Dev mailing list archive at Nabble.com.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: dev-help@struts.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
>>
>
> --
> View this message in context: http://old.nabble.com/Security-Issue-with-GET-method-tp29838122p29845742.html
> Sent from the Struts - Dev mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message