Web tier: servlets, JSP, Web frameworks: URL Tampering
We are facing a security issue with our application (web-based). In a few places we are using GET instead of POST, so the URL is exposed. Therefore, if a user has logged in and wants to see information that does not belong to him by simply changing an id in the URL.
e.g. if he can see the url as http://somehost/webapp/viewrecords?recordId=5
He can modiy it to
and see the record details of records which do not even belong to him.
Even if we change this to POST, it is still not as secure, as it can be easily tampered with.
Any tips on how we can handle this?
Your server-side handler (servlet/cgi/jsp/...) should validate the data in the GET or POST request against the user's permissions.
If you don't already do permissions checks (or you rely on web server acls to sort out permissions), you might be in for some extra design and coding, because these data checks are usually too complex to be resolved into acls.
Save the recordId is the user session. I am assuming every user will have a unique id. Also change the URL to http://somehost/webapp/viewrecorddetails (without the recordId parameter). So when this request comes in retreive the recordId value from the session. Use that value to do your processing and return the result to the user.
That's right. Actually this logic should have been built in right before... i guess we all learn the hard way, but its' back to putting checks in the core classes - as it should be done.