tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: hiding servlet URLs in JSPs
Date Wed, 04 Dec 2002 17:04:59 GMT


On Wed, 4 Dec 2002, Price, Erik wrote:

> Date: Wed, 4 Dec 2002 10:36:49 -0500
> From: "Price, Erik" <eprice@ptc.com>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: hiding servlet URLs in JSPs
>
> Hi, simple question (I hope):
>
> Does it really matter if someone can see the naked path to a servlet in the
> "action" attribute of an HTML <form> tag?  I mean, if I have this form:
>
> <form method="POST" action="./servlet/SomeServlet">
> 	<!-- some input tags go here -->
> </form>
>
> anyone can see the URL to my servlet and attempt to send it data directly.
> At first I thought that this was a security problem and that I should
> obfuscate the path to the servlet somehow, but on second thought it strikes
> me that this is no different than someone seeing the path to a CGI script in
> a form either.
>

It is definitely true that malicious people can see the destination URL
and might try to maliciously send data.  Your application needs to include
measures to prevent this from causing you grief.

It is definitely not true that obfuscating the destination URL would make
a bit of difference -- your attacker can still see the obfuscated URL in
the action attribute of the <form> element, and make exactly the same
attack.

> Any advice?
>
>
> Erik
>

Craig


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message