We are developing a web based J2EE application that can be accessed by both browser as well as non-browser clients like customised Java and VB. We are doing a review of the security of this application to be assured that our application is impregnable from malicious as well as inadvertent hacking.
What we want to know is how easy it is to modify the HTTP request and response objects. Can somebody trap the request object after it is submitted from the client and do any modification to this (for eg. Changes the value of the form fields). Similiarly can the response objects be modified before it is received by the client. What are the ways one can achieve this ?
Thanks in advance.
If you are worried about malefic users, why not use HTTPS ?
Best regards, Mircea
There are products like Achilles, using which you can trap the request object, modify them and send the request to the server. This is a request/response interceptor process which runs on client's machine and it keeps listening on the requests from a browser. The "client side checks can easily be by-passed" by intercepting the request, changing the request params and re-sending the request to the intended server. For the server, the Achilles process works as the client and it sends the response to it (which it can manipulate and send it to the browser which gets the tampered response).