Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Preventing direct URL access in a J2EE environment

from [Kevin Conaway] Network Security [Permanent Link]
Subject: Preventing direct URL access in a J2EE environment
Date: Tue, 1 Mar 2005 10:19:37 -0500 
For our application, we would like to prevent users from requesting
application resources directly.  E.g. browsing to
http://localhost/app/method.do?id=5&type=3 instead of actually
clicking on a link that the application provides.

We would like to do this without a major impact on our code.  I was
thinking of using the following scenario:

- Currently we have tag libraries that help build all our URLS.  These
tag libraries would be modified to include a strong cryptographic
token that is unique to each URL/User combination.  - The token/URL
combination would be stored in the application context for a
pre-determined amount of time.

- Next, we would use a Servlet filter to intercept the URL.  First,
deny URLS requested without tokens. If a token is passed, verify that
matches the token stored in the application context for the requested
URL.

For the token, I was considering using SecureRandom to generate a
random number and compute a hash of the random number and the URI
being requested.  This would be stored along with with URI and the
user Id.

Could anyone point out any pitfalls I need to be aware of, or if I'm
going about things the wrong way?

Thanks

Kevin
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: storing SSNs, CCNs, password in the DB, Jeff Robertson
Next by Date:  RE: storing SSNs, CCNs, password in the DB, McAllister, Andrew
Previous by Thread:  Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection], Jeremiah Grossman
Next by Thread:  Re: Preventing direct URL access in a J2EE environment, Saqib Ali
Indexes:  [Date] [Thread] [Top] [All Lists]