-
FEATURED COMPONENTS
First time here? Check out the FAQ!
Hi,
We are evaluating zk with respect to no of parameters in those security is our most important one.
I have one simple zul with one textbox and one button which on clicked alert value of textbox.
<zk>
<textbox id = "t" ></textbox>
<button label = "Click Me" onClick = "alert(t.getValue())"></button>
</zk>
I tried to interrupt button click request using burp proxy and change the actual user entered value of textbox.
Currently zk can not figure out if incoming request content is changed and alerts changed value.
In our current application we generate some checksome code using request content and send it as a request parameter.
At server end we again try to generate same code decides whether our request content is modified or not.
Is there any way in zk to achieve the same using any configuration or extending any client/server side code?
Thank you very much in advance.
Please help me regarding above issue
I think you can introduce Spring Security with ZK
Thank you very much sjoshi
I dont know how we can achive this using spring security and I doubt my team will introduce spring security in our product just for this reason.
But I belive there should be some workarround to get rid of this problem.
I dont think ZK is providing any such thing ..We are facing same issue for update case where we have to know which values are changed by user so fired query for those value which is changed not for all .So we are trying to implement dirty checking for that so if anything changed dirtychecking will tell us..If this workaround for you i will tell you when i will finish to implement it..It will take some time right now i am busy with reordering in Listbox and sorting.
Thanks
I just want to know if someone has changed user entered data in between by interrupting user request at server end.
When I looked at zk source code I found there is javascript file named as "au.js" having a method "ajaxSendNow" is responsible for sending ajax request to the server.
I can override this method and perform some operation on content before sending it to the server.
Is there any way to override such zk methods in my application?
use ssl/https and a valid certificate which is signed from an official certificate authority (like verisign or thawte).
This the best way to secure your web app. Everything else is not not worth the time you spend. Of course, you can modify au.js or other scripts, but attackers would also be able to see those scripts and reverse engineer them.
Even though burp is able to intercept ssl, it does not mean that ssl is not safe. burp uses intermediate cerificates, end user will see those burp certificates and not the original ones. Modern browsers detects that and informs the users.
Hope that helps for you.
- Dieter
Thank you Dis.
First I will try to overide 'ajaxSendNow' and HTTPs is alaways best option for me.
Asked: 2012-09-04 10:45:30 +0800
Seen: 209 times
Last updated: Sep 07 '12