Hi All,
We are developing a web based J2EE application that can be accessed by both browser as well as non-browser clients like customised Java and VB. We are doing a review of the security of this application to be assured that our application is impregnable from malicious as well as inadvertent hacking.
What we want to know is how easy it is to modify the HTTP request and response objects. Can somebody trap the request object after it is submitted from the client and do any modification to this (for eg. Changes the value of the form fields). Similiarly can the response objects be modified before it is received by the client. What are the ways one can achieve this ?
Thanks in advance.
Lala
-
Modifying HTTP request and response objects (2 messages)
- Posted by: Lalatendu Dash
- Posted on: June 22 2004 04:16 EDT
Threaded Messages (2)
- Modifying HTTP request and response objects by Mircea Crisan on June 22 2004 08:48 EDT
- yes it is possible... by Ashish M on June 25 2004 03:34 EDT
-
Modifying HTTP request and response objects[ Go to top ]
- Posted by: Mircea Crisan
- Posted on: June 22 2004 08:48 EDT
- in response to Lalatendu Dash
Hi,
If you are worried about malefic users, why not use HTTPS ?
Best regards, Mircea -
yes it is possible...[ Go to top ]
- Posted by: Ashish M
- Posted on: June 25 2004 03:34 EDT
- in response to Lalatendu Dash
There are products like Achilles, using which you can trap the request object, modify them and send the request to the server. This is a request/response interceptor process which runs on client's machine and it keeps listening on the requests from a browser. The "client side checks can easily be by-passed" by intercepting the request, changing the request params and re-sending the request to the intended server. For the server, the Achilles process works as the client and it sends the response to it (which it can manipulate and send it to the browser which gets the tampered response).