Results 1 to 10 of 10
  1. #1
    duracell1234 is offline Member
    Join Date
    Apr 2014
    Posts
    4
    Rep Power
    0

    Default Segregation of POST and GET request in Servlet

    We have a big application which is implemented in basic servlet. WE have Get and Post request in servlet. I want to provide them security if any malicious attack will happen on the form submit method. I want to make it secure. In detail, suppose if any user want to submit form/ any ajax request from my application and if he/she changes the method of submission from POST to GET then how I will recognize this?

    I know that HTTPServletRequest object have GetMethod() but how I will detect that it is not changed by Tamper data/Fidler/Watir.Please suggest me any other way. one more way, I googled is by using GetQueryString() method but lot of the places I have query paramater in my POST request.

    Please let me know if you need any more details on the same.

    Thanks.

  2. #2
    gimbal2 is offline Just a guy
    Join Date
    Jun 2013
    Location
    Netherlands
    Posts
    4,365
    Rep Power
    6

    Default Re: Segregation of POST and GET request in Servlet

    Why exactly would it be a security issue if the method is changed? What problem are you trying to solve?

    I mean if changing a request is a problem then I'd say artificially firing one through one of the myriad of options to fire a request is a problem too. A more logical question for me would be: "how can I detect that a client is sending me an unwarranted POST request?"
    "Syntactic sugar causes cancer of the semicolon." -- Alan Perlis

  3. #3
    SurfMan's Avatar
    SurfMan is offline Godlike
    Join Date
    Nov 2012
    Location
    The Netherlands
    Posts
    1,095
    Rep Power
    4

    Default Re: Segregation of POST and GET request in Servlet

    Besides the bonus that you can't read it from the URL, POST is no safer than GET: it's still plaintext. With an Ajax request that difference is gone as well, so these methods are basically the same. The fact that YOU can't see the data doesn't mean a "hacker" can't see it (Wireshark anyone?).

    You should never trust data you receive in your servlet. Never. Always check state, user credentials, everything. Don't rely on Javascript to check your forms. ALWAYS do that on the server.
    "It's not fixed until you stop calling the problem weird and you understand what was wrong." - gimbal2 2013

  4. #4
    duracell1234 is offline Member
    Join Date
    Apr 2014
    Posts
    4
    Rep Power
    0

    Default Re: Segregation of POST and GET request in Servlet

    As gimbal2 said ...My question is how can I detect that a client is sending me an unwarranted POST request?
    Can you guys suggest me any way?
    I want to display the exception or some error page that it will give the error like "malicious attack".
    Last edited by duracell1234; 04-08-2014 at 11:32 AM.

  5. #5
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    12,224
    Rep Power
    20

    Default Re: Segregation of POST and GET request in Servlet

    Well, that's entirely down to your system.
    What represents an unwarranted request for your system?
    Please do not ask for code as refusal often offends.

    ** This space for rent **

  6. #6
    duracell1234 is offline Member
    Join Date
    Apr 2014
    Posts
    4
    Rep Power
    0

    Default Re: Segregation of POST and GET request in Servlet

    Suppose I am the end user of the application I tracked the request through tamper data and changed method from POST to GET. How would I track at server side that it got changed from client side and my doGet() method should not respond it. it should handle this. I want to know the logic/way which I can use to track this. Any generic way to track this?
    Last edited by duracell1234; 04-08-2014 at 01:21 PM.

  7. #7
    SurfMan's Avatar
    SurfMan is offline Godlike
    Join Date
    Nov 2012
    Location
    The Netherlands
    Posts
    1,095
    Rep Power
    4

    Default Re: Segregation of POST and GET request in Servlet

    doPost() and doGet() are two different methods in a Servlet. If you are only interested in the GET method, implement the doGet() method like you would and let the doPost() return a 401 Unauthorized or 403 Forbidden header.

    If you worry about tampering with the data, then check, check check!
    "It's not fixed until you stop calling the problem weird and you understand what was wrong." - gimbal2 2013

  8. #8
    duracell1234 is offline Member
    Join Date
    Apr 2014
    Posts
    4
    Rep Power
    0

    Default Re: Segregation of POST and GET request in Servlet

    Thanks but My system want to serve both the request? also there are lot of post requests with query parameters. so this is critical situation. Want some generic approach to resolve this problem.

  9. #9
    gimbal2 is offline Just a guy
    Join Date
    Jun 2013
    Location
    Netherlands
    Posts
    4,365
    Rep Power
    6

    Default Re: Segregation of POST and GET request in Servlet

    I still don't see any kind of explanation about WHY the change of method is in any way a problem. What kind of malicious thing would someone or something be able to achieve by switching from GET to POST that wouldn't be possible to achieve if it stayed a GET request?
    "Syntactic sugar causes cancer of the semicolon." -- Alan Perlis

  10. #10
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    12,224
    Rep Power
    20

    Default Re: Segregation of POST and GET request in Servlet

    Quote Originally Posted by duracell1234 View Post
    Suppose I am the end user of the application I tracked the request through tamper data and changed method from POST to GET. How would I track at server side that it got changed from client side and my doGet() method should not respond it. it should handle this. I want to know the logic/way which I can use to track this. Any generic way to track this?
    How will the server know that a request has been changed?
    That is what you have to figure out, because it's not clear at all to me how you would do this.

    You say that GET and POST are both valid things to send to the Servlet.
    OK.
    So therefore there must be a difference between the data the GET accepts and the data a POST accepts.
    So simply check that.
    Please do not ask for code as refusal often offends.

    ** This space for rent **

Similar Threads

  1. HttpURLconnection POST request
    By chopficaro in forum Advanced Java
    Replies: 12
    Last Post: 05-21-2012, 03:10 AM
  2. java POST 400 Bad Request .
    By mehdi_s2 in forum Networking
    Replies: 2
    Last Post: 05-06-2012, 05:17 PM
  3. POST request using HttpUrlConnection
    By turk in forum Networking
    Replies: 3
    Last Post: 07-06-2011, 05:36 PM
  4. POST request using HttpUrlConnection
    By turk in forum Networking
    Replies: 2
    Last Post: 07-06-2011, 05:29 PM
  5. First post as per request
    By happyknappy in forum Introductions
    Replies: 3
    Last Post: 07-30-2008, 02:33 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •