Sorry for my bad English.
I have this little part of my code that gets a value from a Servlet and i show it.
<form method="post" action="rent">
<div class="card-body">
<h4 class="card-title">Office Number: ${o.id}</h4>
<input type="hidden" value="${o.id}" name="officenumber">
</div>
</form>
To be able to get that value and send it to another servlet i use an input with hidden type. Then, i catch it in my servlet
int officenumber = Integer.parseInt(request.getParameter("officenumber"));
RequestDispatcher rd;
request.setAttribute("officenumber ", officenumber );
rd = request.getRequestDispatcher("/rent.jsp");
rd.forward(request, response);
Then i show it in a new JSP. The problem is that everybody can use "Inspect Element" tool, change the value from my hidden input and the new inserted value will be sended.
Is it anyway to avoid that?. Thanks in advance.
that's why you should not rely on elements coming from the client.
there must be a verification done on server.
i suggest reading on putting the logged-in user's id on session,
and when receiving a request, you need to make sure the office-id belongs to the user, and the user has permissions to change/ delete it.
You should definitely store the "hidden input" on server side and should not let the user send that value to you. If you need the user to send the value for some reasons, you should authenticate the user (login, password, pin, or any method) and then validate the value that is given to you.
There is a possibility of XSS attack in such case. What you can do is provide a Encoding of text for parameter named officenumber at client side. Later decode that text at server-side.
You can apply rules from OWASP cheat sheet as per you requirement.
By doing this, Even though the value is changed at client side it will not harm/break your server side code.
Note: Anyone change the value of input parameters of a form before submitting it, So its a developer's responsibility to provide security to the code/Application.
Related
I have a page that does a redirect to another page however a parameter is passed in the redirect. In the Controller there is a url mapping that matches the url with a GET method. The get method takes the parameter and sets values on the display. The url looks like this:
http://localhost:1234/appName/pageName.htm?recNo=123
However it is very easy for the user to change the parameter value from 123 to any value and then refresh the page. Once the recNo the user enters is valid and the page is refreshed the data will be displayed. I want to allow the user to only be able to view the record for the recNo that was passed. I do not want the user to be able to modify the parameter in the url.
What is the best approach to handling this in Spring MVC? The method must be a GET aftr the page is redirected.
If you're request must be GET.. it means it must be stateless. It should not rely on what the user did in the last request, which also means that all the information required for the GET request to be executed properly should be contained within the GET request.
With that in mind, the only way to pass information in the URL is by making it a part of the URI, or as a URL parameter.
So either /app/product/123 or /app/product?id=123
This exposes the URL to possible security vulnerability where the user can manipulate the id in the url,
There are two solutions:
Implement a more robust system in the backend to check that the id referenced in the GET url is associated / allowed for the user who is trying to access the URL. Basically be more explicit and deliberate about asserting your security constraints. This method will fail if your users are unauthenticated users. (No login needed).
The second solution is to expose an encrypted and encoded version of the id in the url. You should use a two way encryption though. So when the POST request completes, it encrypts and encodes the id and appends it to the subsequent GET request. When the GET request is received you decode and decrypt the url parameter to get the real id and show appropriate content. This method basically implies that it would be very difficult for a user to manipulate an ecrypted parameter such that it could be decrypted to produce a valid number. I often use AES encryption and Base 64 encoding.
Hope this helps.
if you are redirecting to page in the same application you can store this info in session use #SessionAtrribute
Assumption: If it is not mandatory to use "get" method.
I think, you can hide the parameters in URL by using "post" method , instead of "get" method.
In HTML form, you can add method="post" . Below is the example:
<form action="hello" method="post">
<input type="text" name="name" /> <br>
<input type="submit" title="Submit">
</form>
The problem is pretty simple but I cant find a straight-forward solution online.
I have a document template, which I want to be able to populate with information (different information, more than once) and then print. My initial thought was to create a html template, and then send a parsed version to the print.
I suppose there is more than one question here:
What is the best approach to solve this problem?
If the HTML parsing is the best solution can someone point me in the correct direction as I dont know where to start.
Thanks.
-- EDIT: a better example to clear up any confusion.
On a java GUI program, the user is able to pull up a customers information. I wish them to be able to print an invoice at the click of a button. My current problem is deciding how to populate the invoice with the customers information and send it to the printer.
I would go for a web HTML form. Let the user populate the input fields and pass them in the POST body when a form submit button is pressed. Then you analyze the input and create the final document version (on the server) and only then return the document to the client with an appropriate MIME type in the response header (that's how you enable the printing).
For example (simple form with submit button)
<form name="input" action="html_form_action.asp" method="get">
Username: <input type="text" name="user">
<input type="submit" value="Submit">
</form>
EDIT:
For building document template take a look on playframework.
What I want to do:
I have a form with a lot of fields(nick, email, name, surname, etc.) but the user has to fill Nick and Email first in order to be able to fill the other fields(this is because we want to check that the nick and mail aren't in use by another client before he can introduce the rest of his information(name, surname, etc.)).
So, the user introduces Nick and Email and then he must press a button named "Validate", if the values are available(successful validation) then the rest of the fields are enabled and the user can continue filling the form, otherwise the fields stay disabled and an error is showed to the user.
The form will be located in a JSP, it will be submitted to a Servlet, once in the servlet I must validate the information that is in the form(i have a .JAR file included in this servlet, the validation consists in calling a function from that library, the function returns a boolean) and then I must return back to the same JSP the boolean that will represent the result of the validate function.
Now in the JSP I must enable(or not, depending on the value of the boolean) the rest of the TextFields.
I'm not sure if this is right but i was trying to submit with the button and at the same time run a javascript(onclick) that will use this boolean value that the servlet sends back to the JSP after making the validation. The javascript consists on an IF sentence that evaluates the boolean and if it's true then it enables all the fields on the JSP.
Problems so far:
I was able to send the Nick and Email from the JSP to the Servlet and to make the validation of the values, now i have the boolean but i have no idea on how to send it from the Servlet to the same JSP and use it in the onclick event of the same button I used to submit the info. I don't even know if it's possible to do this...
I'd be grateful if someone could give me a hand with this, i'm newbie in Java programming so i would appreciate simple explanations if possible.
Also, if there is a better way of doing what i want please share it, and if there are any doubts ask and i will try to explain it better.
There is no need for JavaScript at all.
In your servlet you can store the validation result into the request context:
req.setAttribute('checkResult', checkResult);
where req is of type HttpServletRequest and checkResult is a Boolean.
Then you can forward to your JSP:
RequestDispatcher dispatcher = req.getRequestDispatcher("/your.jsp");
dispatcher.forward(req, resp);
In your JSP you can set your form elements as read only depending on the attribute checkResult which you have put into the request context:
<textarea name="text" cols="50" rows="10"
<%= request.getAttribute("checkResult") != null && request.getAttribute("checkResult") ? "" : "readonly" %>
>...</textarea>
So if the check is not valid then the <textarea> element will contain the readonly attribute. Otherwise readonly is not present.
As Roy mentioned AJAX is best suited for your problem. You can use DWR! , it makes normal java classes available as AJAX services, just call the method on them and get the result. So easy.
I think AJAX is more suitable for your application, which will not require to submit the whole form and you can send back the validation flag as plain responseText or well-formatted responseXML. Also you can use a lot of good javascript library such as jQuery that helps you send an AJAX request quickly and simply.
I am using Struts and Java. The problem is that I have a page with some results. The user can click an item and edit it. I want after editing the user to be able to return back to the results. Back isn't broken but if he submits the form for update he would have to click back 2 times I think and may have problem.
I have tried header("Referer") but this doesn't work in Internet Explorer.
I am trying to implement a solution. Any ideas? My idea is to save url and move around an ID of that url. And when I want to return back get the url from ID. Storing it in the session is not a solution because the user may have opened multiple windows.
Passing a URL as a request parameter may create security issues. Powerlord is right that the USER can alter the referrer header. This will allow the user to visit a page, something they can do anyway. More seriously, following a URL that is in a request parameter allows an attacker to send the user to a page of the attacker's choice, with the appearance that this page is recommended by your application. So the answer from BalusC can enable Cross-Site Request Forgery.
The best way is to pass it around as a request parameter. On the edit link or button, just pass the current URL along as request parameter. Here's an example with a link:
edit
Or if it's a button to submit a form, then rather pass it as hidden input value in the same form:
<input type="hidden" name="from" value="${pageContext.request.requestURI}">
In the page with the edit form, transfer it to the subsequent request as hidden input value of the form:
<input type="hidden" name="from" value="${param.from}">
In the action method, just redirect to that URL after finishing the action. Since I don't do Struts, I can't give a detailed Struts example, but here is how you would do it with "plain vanilla" Servlet, you must be able to port it to a Struts approach:
response.sendRedirect(request.getParameter("from"));
I'm trying to fill-out a form automatically and press a button on that form and wait for a response. How do I go about doing this?
To be more particular, I have a a --HUGE-- collection DNA strains which I need to compare to each-other. Luckily, there's a website that does exactly what I need.
Basically, I type-in 2 different sequences of DNA and click the "Align Sequences" button and get a result (the calculation of the score is not relevant).
Is there a way to make a Java program that will automatically insert the input, "click" the button and read the response from this website?
Thanks!
You can use the apache http client to send a request to a web site.
Look at the source to the page in question, and you'll find the part. This contains all the fields that need to be sent to the server. In particular, you'll see that it needs to be sent as a Post, rather than the more common Get. The link above shows you how to do a post with the http client code.
You'll need to provide a nameValuePair for every field in the form, such as these ones:
<input type="hidden" name="rm" value="lalign_x"/>
<input type="checkbox" name="show_ident" value="1" />
<textarea name="query" rows="6" cols="60">
It will probably take some trial and error for you to get all the fields set up correctly. I'd recommend doing this with small data sets. Once it all seems to be working, then try it with your bigger data.
In Python you can use mechanize library (http://wwwsearch.sourceforge.net/mechanize/). It's quite simple and you doesn't need to know Python very well to use it.
Simple example (filling login form):
br = Browser()
br.open(login_link)
br.select_form(name="login")
br["email"] = "email#server.com"
br["pass"] = "password"
br.submit()
You could probably do this using Selenium.