Hi,
I have a question regarding security on a web page developed using JSP & Servlets.
Let's imagine the following scenario, I'll simplify so you can understand about my problem:
listProducts.java
Servlet that makes a select on the database, for a list of products, then puts the data in the request, and forwards it to "listProducts.jsp".
Servlet is url-mapped to: "/listProducts".
URL: http://www.whatever-domain.com/products/listProducts
listProducts.jsp
Displays the list of products. Each one has an ID, which equals the primary key on the database.
If the user clicks a product, I'll call "deleteProduct?ID=12" (for example to delete product with id=12).
The list of products is different for each user logged in (user info on session), so it's not just a dump-all list. Let's imagine something like ... "User can delete only the products he has inserted".
URL: http://www.whatever-domain.com/products/listProducts.jsp (if accessed directly without going through the above servlet, there will be no data shown)
deleteProduct.java
It's the Servlet that deletes the products. It reads the ID from request, then it will execute the delete on the database (actually it calls a bean, which might call a Stored Procedure, but let's make it simple).
After that, it forwards to "deleteProduct.jsp".
Servlet is url-mapped to: "/deleteProduct".
URL: http://www.whatever-domain.com/products/deleteProduct
deleteProduct.jsp
Just a regular JSP file that displays a message like: "Product XYZ was Successfully Deleted!".
URL: http://www.whatever-domain.com/products/deleteProduct.jsp (if accessed directly without going through the above servlet, there will be no message shown)
This works great, to some extend ... now I'll have to correct an ENORMOUS BUG ...
If a smart user sees the list, he can view the code and see the list coding as well ... and can see something like:
ID=1 - Product A
ID=2 - Product B
ID=3 - Product C
If it clicks the product on the web page, he deletes one of those products listed ... one of his own products, so no problem here. But if he types the address:
http://www.whatever-domain.com/products/deleteProduct?ID=5
He is directly calling the servlet that deletes products, and will in fact delete the product id=5, which belongs to another user ...
Now I could, in the "deleteProduct.java" servlet, re-check if the ID belongs to the user, but the matter is a bit more complicated than that, and I want to avoid unnecessary repeated code (also I didn't do it in the first place).
So before I start coding some nasty code, I would like to ear some opinions on how could I control this ... with something like (correct/point me somewhere):
1# How can I see if the access on a particular Servlet was made through "direct access" (by typing on the address bar of any browser)?
2# And if I can implement #1, will a user be able to "change" the html code or javascript functions "on-the-run"? I mean, if you type "javascript:alert('ok');" on the address bar, you'll have an alert box displayed ... can a user use this to access/change the HTML DOM?
These situations make me think about currect security of the billions of web pages around ... many of them must be secure for sure ...
Thank you for your attention, and for your much appreciated help.
I have a question regarding security on a web page developed using JSP & Servlets.
Let's imagine the following scenario, I'll simplify so you can understand about my problem:
listProducts.java
Servlet that makes a select on the database, for a list of products, then puts the data in the request, and forwards it to "listProducts.jsp".
Servlet is url-mapped to: "/listProducts".
URL: http://www.whatever-domain.com/products/listProducts
listProducts.jsp
Displays the list of products. Each one has an ID, which equals the primary key on the database.
If the user clicks a product, I'll call "deleteProduct?ID=12" (for example to delete product with id=12).
The list of products is different for each user logged in (user info on session), so it's not just a dump-all list. Let's imagine something like ... "User can delete only the products he has inserted".
URL: http://www.whatever-domain.com/products/listProducts.jsp (if accessed directly without going through the above servlet, there will be no data shown)
deleteProduct.java
It's the Servlet that deletes the products. It reads the ID from request, then it will execute the delete on the database (actually it calls a bean, which might call a Stored Procedure, but let's make it simple).
After that, it forwards to "deleteProduct.jsp".
Servlet is url-mapped to: "/deleteProduct".
URL: http://www.whatever-domain.com/products/deleteProduct
deleteProduct.jsp
Just a regular JSP file that displays a message like: "Product XYZ was Successfully Deleted!".
URL: http://www.whatever-domain.com/products/deleteProduct.jsp (if accessed directly without going through the above servlet, there will be no message shown)
This works great, to some extend ... now I'll have to correct an ENORMOUS BUG ...
If a smart user sees the list, he can view the code and see the list coding as well ... and can see something like:
ID=1 - Product A
ID=2 - Product B
ID=3 - Product C
If it clicks the product on the web page, he deletes one of those products listed ... one of his own products, so no problem here. But if he types the address:
http://www.whatever-domain.com/products/deleteProduct?ID=5
He is directly calling the servlet that deletes products, and will in fact delete the product id=5, which belongs to another user ...
Now I could, in the "deleteProduct.java" servlet, re-check if the ID belongs to the user, but the matter is a bit more complicated than that, and I want to avoid unnecessary repeated code (also I didn't do it in the first place).
So before I start coding some nasty code, I would like to ear some opinions on how could I control this ... with something like (correct/point me somewhere):
1# How can I see if the access on a particular Servlet was made through "direct access" (by typing on the address bar of any browser)?
2# And if I can implement #1, will a user be able to "change" the html code or javascript functions "on-the-run"? I mean, if you type "javascript:alert('ok');" on the address bar, you'll have an alert box displayed ... can a user use this to access/change the HTML DOM?
These situations make me think about currect security of the billions of web pages around ... many of them must be secure for sure ...
Thank you for your attention, and for your much appreciated help.
Facebook
Twitter