You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Adriana B <al...@yahoo.com> on 2009/07/30 22:05:02 UTC
Re: Tapestry 4.1 How to protect from "malicious" change on
parameters?
Hi Jonathan,
Thanks for talking the time!
Yes, an application error page is displayed on most of the attacks.
I'm thinking on implement an input validation, where I can "catch" and
"filter" the malicious values that trigger the error. I don't know if there
is a generic way that Tapestry 4.1 can do that, or I'm missing something to
avoid it.
Some examples:
SQL Injection malicious values like = %27%3B and \'%20having%201=1--
Cross-site Scripting values like = <script>.... </script>
Making null some parameters.
This malicious values, can be inserted on the sp parameters of an url, or
even at hidden parameters within a form.
Thanks,
Adriana B
Jonathan Barker wrote:
>
> Adriana,
>
> When you say your application "crashes" do you mean that the Tapestry
> error
> page is displayed?
>
> You can substitute in your own error page, but beyond that, what would you
> want the behavior to be if invalid data is used?
>
> Jonathan
>
> On Tue, Jul 28, 2009 at 8:16 PM, Adriana B <al...@yahoo.com> wrote:
>
>>
>> Hi
>>
>> I have following issues on Tapestry 4.1.3, wonder if you can help me.
>>
>> While submitting the application to some security tests like
>>
>> - Modifying sp parameter on url generated by DirectLink
>> - Removing "hidden" parameters under a form
>> - Removing if_*** parameters under a form
>>
>> our application crashes, is there any way to validate and avoid this?
>>
>> Thanks,
>> Adriana B
>> --
>> View this message in context:
>> http://www.nabble.com/Tapestry-4.1-How-to-protect-from-%22malicious%22-change-on-parameters--tp24710242p24710242.html
>> Sent from the Tapestry - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>>
>>
>
>
> --
> Jonathan Barker
> ITStrategic
>
>
--
View this message in context: http://www.nabble.com/Tapestry-4.1-How-to-protect-from-%22malicious%22-change-on-parameters--tp24710242p24746372.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Tapestry 4.1 How to protect from "malicious" change on
parameters?
Posted by Jonathan Barker <jo...@gmail.com>.
Adriana,
I guess the bottom line is that you can never trust what comes from the
client. That's why Tapestry validates fields server-side even when client
side validation is enabled. That's also why you have to be very careful
about using raw Inserts if you will be outputting data supplied by users.
That's why programmers are not supposed to manually build up SQL queries
with user-suppplied values, but instead use parametrized queries.
I periodically get emails from my applications resulting from automated
attacks - generally looking for a login page that does not exist. In the
early days, the emails were the result of genuine bugs, or curious clients
testing my security. Now it's just automated crap.
Much of what I do also uses entity-level authorization so randomly selecting
id's to pass in a URL will generally result in an authoization error.
Frankly, I'm happy with a generic Ooops message with a note that a problem
report has been sent to the administrator. I get notified of any real
problems in my applications, and frankly I don't care what the hacker gets.
There is software out there meant to sit in front of web applications to
block known attacks, but why bother?
Just my view.
Jonathan
On Thu, Jul 30, 2009 at 4:05 PM, Adriana B <al...@yahoo.com> wrote:
>
> Hi Jonathan,
>
> Thanks for talking the time!
>
> Yes, an application error page is displayed on most of the attacks.
>
> I'm thinking on implement an input validation, where I can "catch" and
> "filter" the malicious values that trigger the error. I don't know if there
> is a generic way that Tapestry 4.1 can do that, or I'm missing something to
> avoid it.
>
> Some examples:
> SQL Injection malicious values like = %27%3B and \'%20having%201=1--
> Cross-site Scripting values like = <script>.... </script>
> Making null some parameters.
>
> This malicious values, can be inserted on the sp parameters of an url, or
> even at hidden parameters within a form.
>
> Thanks,
> Adriana B
>
>
> Jonathan Barker wrote:
> >
> > Adriana,
> >
> > When you say your application "crashes" do you mean that the Tapestry
> > error
> > page is displayed?
> >
> > You can substitute in your own error page, but beyond that, what would
> you
> > want the behavior to be if invalid data is used?
> >
> > Jonathan
> >
> > On Tue, Jul 28, 2009 at 8:16 PM, Adriana B <al...@yahoo.com>
> wrote:
> >
> >>
> >> Hi
> >>
> >> I have following issues on Tapestry 4.1.3, wonder if you can help me.
> >>
> >> While submitting the application to some security tests like
> >>
> >> - Modifying sp parameter on url generated by DirectLink
> >> - Removing "hidden" parameters under a form
> >> - Removing if_*** parameters under a form
> >>
> >> our application crashes, is there any way to validate and avoid this?
> >>
> >> Thanks,
> >> Adriana B
> >> --
> >> View this message in context:
> >>
> http://www.nabble.com/Tapestry-4.1-How-to-protect-from-%22malicious%22-change-on-parameters--tp24710242p24710242.html
> >> Sent from the Tapestry - User mailing list archive at Nabble.com.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> >> For additional commands, e-mail: users-help@tapestry.apache.org
> >>
> >>
> >
> >
> > --
> > Jonathan Barker
> > ITStrategic
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Tapestry-4.1-How-to-protect-from-%22malicious%22-change-on-parameters--tp24710242p24746372.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
--
Jonathan Barker
ITStrategic