0

Zk security

asked 2012-09-04 10:45:30 +0800

Ganeshkhakare gravatar image Ganeshkhakare
150 4

updated 2012-09-04 10:50:17 +0800

Hi,
We are evaluating zk with respect to no of parameters in those security is our most important one.
I have one simple zul with one textbox and one button which on clicked alert value of textbox.
<zk>
<textbox id = "t" ></textbox>
<button label = "Click Me" onClick = "alert(t.getValue())"></button>
</zk>
I tried to interrupt button click request using burp proxy and change the actual user entered value of textbox.
Currently zk can not figure out if incoming request content is changed and alerts changed value.

In our current application we generate some checksome code using request content and send it as a request parameter.
At server end we again try to generate same code decides whether our request content is modified or not.

Is there any way in zk to achieve the same using any configuration or extending any client/server side code?

Thank you very much in advance.

delete flag offensive retag edit

8 Replies

Sort by ยป oldest newest

answered 2012-09-05 09:57:17 +0800

Ganeshkhakare gravatar image Ganeshkhakare
150 4

Please help me regarding above issue

link publish delete flag offensive edit

answered 2012-09-05 10:40:10 +0800

sjoshi gravatar image sjoshi flag of India
3508 1 8
http://zkframeworkhint.bl...

I think you can introduce Spring Security with ZK

link publish delete flag offensive edit

answered 2012-09-06 06:58:38 +0800

Ganeshkhakare gravatar image Ganeshkhakare
150 4

Thank you very much sjoshi
I dont know how we can achive this using spring security and I doubt my team will introduce spring security in our product just for this reason.
But I belive there should be some workarround to get rid of this problem.

link publish delete flag offensive edit

answered 2012-09-06 08:40:33 +0800

Bobzk gravatar image Bobzk
428 1 5

Maybe I'm not understanding your problem correctly but if you are trying to stop data being intercepted between user and server and being altered, surely using "https" protocol is what you need?

link publish delete flag offensive edit

answered 2012-09-06 08:41:26 +0800

sjoshi gravatar image sjoshi flag of India
3508 1 8
http://zkframeworkhint.bl...

I dont think ZK is providing any such thing ..We are facing same issue for update case where we have to know which values are changed by user so fired query for those value which is changed not for all .So we are trying to implement dirty checking for that so if anything changed dirtychecking will tell us..If this workaround for you i will tell you when i will finish to implement it..It will take some time right now i am busy with reordering in Listbox and sorting.
Thanks

link publish delete flag offensive edit

answered 2012-09-06 09:10:03 +0800

Ganeshkhakare gravatar image Ganeshkhakare
150 4

updated 2012-09-06 09:11:03 +0800

I just want to know if someone has changed user entered data in between by interrupting user request at server end.
When I looked at zk source code I found there is javascript file named as "au.js" having a method "ajaxSendNow" is responsible for sending ajax request to the server.

I can override this method and perform some operation on content before sending it to the server.

Is there any way to override such zk methods in my application?

link publish delete flag offensive edit

answered 2012-09-06 09:37:03 +0800

dis gravatar image dis flag of Switzerland
140 4

use ssl/https and a valid certificate which is signed from an official certificate authority (like verisign or thawte).

This the best way to secure your web app. Everything else is not not worth the time you spend. Of course, you can modify au.js or other scripts, but attackers would also be able to see those scripts and reverse engineer them.

Even though burp is able to intercept ssl, it does not mean that ssl is not safe. burp uses intermediate cerificates, end user will see those burp certificates and not the original ones. Modern browsers detects that and informs the users.

Hope that helps for you.

- Dieter

link publish delete flag offensive edit

answered 2012-09-07 06:04:57 +0800

Ganeshkhakare gravatar image Ganeshkhakare
150 4

Thank you Dis.
First I will try to overide 'ajaxSendNow' and HTTPs is alaways best option for me.

link publish delete flag offensive edit
Your reply
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow

RSS

Stats

Asked: 2012-09-04 10:45:30 +0800

Seen: 208 times

Last updated: Sep 07 '12

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More