You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Arunachalam Sibisakkaravarthi <ar...@mcruncher.com> on 2022/05/27 07:27:14 UTC
prevent client request being intercepted for attack
Hi guys,
Form submission requests can be intercepted using a third party tool (eg:
ZAP) to change the data. Is there a way to prevent this attack? How do we
validate data integrity?
*Thanks And RegardsSibi.ArunachalammCruncher*
Re: prevent client request being intercepted for attack
Posted by Martin Terra <ma...@koodaripalvelut.com>.
Use https
pe 27. toukok. 2022 klo 10.27 Arunachalam Sibisakkaravarthi (
arunachalam@mcruncher.com) kirjoitti:
> Hi guys,
> Form submission requests can be intercepted using a third party tool (eg:
> ZAP) to change the data. Is there a way to prevent this attack? How do we
> validate data integrity?
>
>
>
> *Thanks And RegardsSibi.ArunachalammCruncher*
>
Re: prevent client request being intercepted for attack
Posted by Arunachalam Sibisakkaravarthi <ar...@mcruncher.com>.
Thanks guys for the feedback and clarification.
*Thanks And RegardsSibi.ArunachalammCruncher*
On Fri, May 27, 2022 at 6:06 PM Martin Terra <
martin.terra@koodaripalvelut.com> wrote:
> If you browse with a ZAP associated browser then I assume the https
> connection is with ZAP.
>
> You should only be concerned if you browse with a different browser than
> one associated ZAP and then same occurs.
>
> **
> Martin
>
> pe 27. toukok. 2022 klo 12.46 Arunachalam Sibisakkaravarthi (
> arunachalam@mcruncher.com) kirjoitti:
>
> > We Use HTTPS with TLS.
> > Our app has login authentication.
> > I am not sure whether it is valid concern or not
> > I just explain the steps that I followed
> >
> > 1. Wicket app runs on 8443 with https with tls
> > 2. Owasp ZAP tool runs on 8080
> > 3. Start a browser from ZAP with configured app url eg:
> > https://localhost:8443
> > 4. Login page is displayed
> > 5. Entered credentials and login successful
> > 6. I have a form with a name text field and an ajax submit button
> > 7. Enter a value "Foo" into name field
> > 8. Click the break point in ZAP
> > 9. Then click the ajax submit button
> > 10. Now the request details shown in clear text on ZAP window (eg:
> > _csrf=fc786e60-6be2-5ce3-9f8a-f98679c3bf0d&p%3A%3Aname=Foo)
> > 11. I changed the name value to "Bar" in ZAP
> > 12. Now I click a button in ZAP to proceed the request
> > 13. It is saved successfully with the value "Bar" in the Wicket
> > application.
> >
> > Here the user entered "Foo" whereas in the application "Bar" stored.
> >
> > Is this a valid concern?
> >
> >
> >
> >
> > *Thanks And RegardsSibi.ArunachalammCruncher*
> >
> >
> > On Fri, May 27, 2022 at 4:20 PM Korbinian Bachl <
> > korbinian.bachl@whiskyworld.de> wrote:
> >
> > > Use HTTPS with TLS
> > >
> > > Also note: if you or your service operates within the EU and you dont
> > > secure this via encryption you are violating the GDPR!
> > >
> > >
> > > ----- Ursprüngliche Mail -----
> > > > Von: "Arunachalam Sibisakkaravarthi" <ar...@mcruncher.com>
> > > > An: "users" <us...@wicket.apache.org>
> > > > Gesendet: Freitag, 27. Mai 2022 09:27:14
> > > > Betreff: prevent client request being intercepted for attack
> > >
> > > > Hi guys,
> > > > Form submission requests can be intercepted using a third party tool
> > (eg:
> > > > ZAP) to change the data. Is there a way to prevent this attack? How
> do
> > we
> > > > validate data integrity?
> > > >
> > > >
> > > >
> > > > *Thanks And RegardsSibi.ArunachalammCruncher*
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > > For additional commands, e-mail: users-help@wicket.apache.org
> > >
> > >
> >
>
Re: prevent client request being intercepted for attack
Posted by Martin Terra <ma...@koodaripalvelut.com>.
If you browse with a ZAP associated browser then I assume the https
connection is with ZAP.
You should only be concerned if you browse with a different browser than
one associated ZAP and then same occurs.
**
Martin
pe 27. toukok. 2022 klo 12.46 Arunachalam Sibisakkaravarthi (
arunachalam@mcruncher.com) kirjoitti:
> We Use HTTPS with TLS.
> Our app has login authentication.
> I am not sure whether it is valid concern or not
> I just explain the steps that I followed
>
> 1. Wicket app runs on 8443 with https with tls
> 2. Owasp ZAP tool runs on 8080
> 3. Start a browser from ZAP with configured app url eg:
> https://localhost:8443
> 4. Login page is displayed
> 5. Entered credentials and login successful
> 6. I have a form with a name text field and an ajax submit button
> 7. Enter a value "Foo" into name field
> 8. Click the break point in ZAP
> 9. Then click the ajax submit button
> 10. Now the request details shown in clear text on ZAP window (eg:
> _csrf=fc786e60-6be2-5ce3-9f8a-f98679c3bf0d&p%3A%3Aname=Foo)
> 11. I changed the name value to "Bar" in ZAP
> 12. Now I click a button in ZAP to proceed the request
> 13. It is saved successfully with the value "Bar" in the Wicket
> application.
>
> Here the user entered "Foo" whereas in the application "Bar" stored.
>
> Is this a valid concern?
>
>
>
>
> *Thanks And RegardsSibi.ArunachalammCruncher*
>
>
> On Fri, May 27, 2022 at 4:20 PM Korbinian Bachl <
> korbinian.bachl@whiskyworld.de> wrote:
>
> > Use HTTPS with TLS
> >
> > Also note: if you or your service operates within the EU and you dont
> > secure this via encryption you are violating the GDPR!
> >
> >
> > ----- Ursprüngliche Mail -----
> > > Von: "Arunachalam Sibisakkaravarthi" <ar...@mcruncher.com>
> > > An: "users" <us...@wicket.apache.org>
> > > Gesendet: Freitag, 27. Mai 2022 09:27:14
> > > Betreff: prevent client request being intercepted for attack
> >
> > > Hi guys,
> > > Form submission requests can be intercepted using a third party tool
> (eg:
> > > ZAP) to change the data. Is there a way to prevent this attack? How do
> we
> > > validate data integrity?
> > >
> > >
> > >
> > > *Thanks And RegardsSibi.ArunachalammCruncher*
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > For additional commands, e-mail: users-help@wicket.apache.org
> >
> >
>
Re: prevent client request being intercepted for attack
Posted by Arunachalam Sibisakkaravarthi <ar...@mcruncher.com>.
We Use HTTPS with TLS.
Our app has login authentication.
I am not sure whether it is valid concern or not
I just explain the steps that I followed
1. Wicket app runs on 8443 with https with tls
2. Owasp ZAP tool runs on 8080
3. Start a browser from ZAP with configured app url eg:
https://localhost:8443
4. Login page is displayed
5. Entered credentials and login successful
6. I have a form with a name text field and an ajax submit button
7. Enter a value "Foo" into name field
8. Click the break point in ZAP
9. Then click the ajax submit button
10. Now the request details shown in clear text on ZAP window (eg:
_csrf=fc786e60-6be2-5ce3-9f8a-f98679c3bf0d&p%3A%3Aname=Foo)
11. I changed the name value to "Bar" in ZAP
12. Now I click a button in ZAP to proceed the request
13. It is saved successfully with the value "Bar" in the Wicket application.
Here the user entered "Foo" whereas in the application "Bar" stored.
Is this a valid concern?
*Thanks And RegardsSibi.ArunachalammCruncher*
On Fri, May 27, 2022 at 4:20 PM Korbinian Bachl <
korbinian.bachl@whiskyworld.de> wrote:
> Use HTTPS with TLS
>
> Also note: if you or your service operates within the EU and you dont
> secure this via encryption you are violating the GDPR!
>
>
> ----- Ursprüngliche Mail -----
> > Von: "Arunachalam Sibisakkaravarthi" <ar...@mcruncher.com>
> > An: "users" <us...@wicket.apache.org>
> > Gesendet: Freitag, 27. Mai 2022 09:27:14
> > Betreff: prevent client request being intercepted for attack
>
> > Hi guys,
> > Form submission requests can be intercepted using a third party tool (eg:
> > ZAP) to change the data. Is there a way to prevent this attack? How do we
> > validate data integrity?
> >
> >
> >
> > *Thanks And RegardsSibi.ArunachalammCruncher*
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: prevent client request being intercepted for attack
Posted by Korbinian Bachl <ko...@whiskyworld.de>.
Use HTTPS with TLS
Also note: if you or your service operates within the EU and you dont secure this via encryption you are violating the GDPR!
----- Ursprüngliche Mail -----
> Von: "Arunachalam Sibisakkaravarthi" <ar...@mcruncher.com>
> An: "users" <us...@wicket.apache.org>
> Gesendet: Freitag, 27. Mai 2022 09:27:14
> Betreff: prevent client request being intercepted for attack
> Hi guys,
> Form submission requests can be intercepted using a third party tool (eg:
> ZAP) to change the data. Is there a way to prevent this attack? How do we
> validate data integrity?
>
>
>
> *Thanks And RegardsSibi.ArunachalammCruncher*
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org