-
FEATURED COMPONENTS
First time here? Check out the FAQ!
Hi all,
I have an application developed using ZK 3.6.2 on WebSphere application server 7. Using a tool called HTTPWatch I noticed that I can see query parameters for HTTP POST request being sent to the server.
https://myserver/onlineApp/zkau?dtid=gdh31&cmd.0=onChange&uuid.0=z_dh_g1&data.0=29&data.0=false&data.0=0&cmd.1=onChange&uuid.1=z_dh_o1& data.1=melissa&data.1=false&data.1=0&cmd.2=onChange&uuid.2=z_dh_02&data.2=mypassword& data.2=false&data.2=0&cmd.3=onOK&uuid.3=z_dh_02&data.3=13&data.3=false&data.3=false&data.3=false&data.3=z_dh_02
As you can see from the above URL (which is from a login.zul page), I can clearly see some of the values being sent over to the server. So is there a way to actually prevent the query string from being visible?
Where is HTTPWatch being run, in your browser or snooping from another machine?
Hmmmmm, is this the so called 'SQL Injection' ?
Why not call a well defined service/dao method in your backend? If you need to send dynamic 'where clauses' have a look on the 'Search' class from the hibernate-generic-dao framework. With it you can put your where clause in the Search object and read them back in your backend method.
best
Stephan
The security issue here is not SQL Injection, we got that part covered. As you can see in the above URL, using query string we are actually exposing sensitive information (e.g. password, user name, account number, etc). It may be possible to steal these sensitive data using network sniffer.
Given that you URL is something like this: "https://myserver/...", what's the issue? You're running over SSL. I assume you can see it with HTTPWatch because it's inside the browser before it's encrypted and put on the wire.
My two cents: from my JSP/Servlet experience, I remember parameters are explicitly passed by GET (with limited amount to 255 characters, if I am right), but not by POST, ewhich has no limits and is not explicit in the url...
What I am missing here is how you can read them.... is there a risk you are in a privileged position and you are trying to fix an issue that can not be raised for other external users?
Hi Steva77, you are right that using typical browser an user cannot see the query parameters in POST request. But using tools like HTTPWatch or other network sniffer software I was able to see the URL as shown on the first post. The security risk I mention is to prevent hackers from obtaining sensitive information from the query string.
Data contained in URL query string on a HTTPS connection is encrypted. However it is a very poor practice to send sensitive data such as password using the query string for security purposes. While it cannot be intercepted, the data could be logged in web server logs (e.g. access log).
Well, then I am not sure it is a ZK issue... I do think it relates to protocols.
Asked: 2011-04-05 03:01:34 +0800
Seen: 923 times
Last updated: Apr 07 '11