Web applications are becoming more popular software for the customer. As web application go online, security parts need to be pay attention to. Problems arise when the application can not distinguish between legitimate and illegitimate requests coming from a browser.
Through a Web browser, I touch my account information. I also touch your account information. Web application server need to validate whether I have permission to touch your account information. However, server side form date validation is really time consuming and sometimes it is nearly impossible, especially for existing web application system.
In this paper, an DES two-ways encryption/decryption are introduced in the form data validate in the web application.
Using GET/POST, some sensitive data are display in the user HTML forms or URL. For example:
http://www.yourdomain.com/accounts/editAccount.do?aId=5
Anyone can easily change the aId value and submit the changed URL to the server. One solution for this is check this user permission on the server side. Another way, we also can check whether client changed the aId, I means the aId I passed and the aId I receive.
To see whether client changes the sensitive data, the DES encrypting algorithm is used in the system. The example code is list at the end of this paper[1]:
For the above URL, I encrypted the sensitive data with the DES algorithm before passing it to the remote client. Now the client browser get the following URL:
http://www.yourdomain.com/accounts/editAccount.do?aId=SMsDoJFsmlc=5
As above example, the encrypt result is “SMsDoJFsmlc=”, the original value is “5”. When the client submit this URL to the server side, I get the encrypted aId from the request, call the decrypt(String) and get the original value.
Now suppose we change the aId as something else, this will make the decrypt result and original data value does not match. We know the client changed the value and just reject the client request.
No comments:
Post a Comment