Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Preventing direct URL access in a J2EE environment

from [Roberto GABERGI] Network Security [Permanent Link]
Subject: RE: Preventing direct URL access in a J2EE environment
Date: Fri, 6 May 2005 11:05:02 +0200 
For our application, we would like to prevent users
from requesting application resources directly.
E.g. browsing to http://localhost/app/method.do?id=5&type=3 
instead of actually clicking on a link that the application provides.


You can do that without any code writing.
You must only install an application firewall in front of your Web application.
The application firewall must have a session manager feature to enable or 
disable browsing on a specific page.
This feature is sometimes called "Dynamic White Page".
When actived, only specific URLs (start pages defined by administrator) can be 
used to enter in the web app.

Best Regards,

Roberto GABERGI (mailto:roberto.gabergi@axiliance.com)
AXILIANCE - http://www.axiliance.com
Web Application Firewall, Citrix ICA Security and Web Single Sign-On


-----Message d'origine-----
De : Kevin Conaway [mailto:kevin.conaway@gmail.com] 
Envoyé : mardi 1 mars 2005 16:20
À : webappsec@securityfocus.com
Objet : Preventing direct URL access in a J2EE environment

For our application, we would like to prevent users from requesting application 
resources directly.  E.g. browsing to
http://localhost/app/method.do?id=5&type=3 instead of actually clicking on a 
link that the application provides.

We would like to do this without a major impact on our code.  I was thinking of 
using the following scenario:

- Currently we have tag libraries that help build all our URLS.  These tag 
libraries would be modified to include a strong cryptographic token that is 
unique to each URL/User combination.  - The token/URL combination would be 
stored in the application context for a pre-determined amount of time.

- Next, we would use a Servlet filter to intercept the URL.  First, deny URLS 
requested without tokens. If a token is passed, verify that matches the token 
stored in the application context for the requested URL.

For the token, I was considering using SecureRandom to generate a random number 
and compute a hash of the random number and the URI being requested.  This 
would be stored along with with URI and the user Id.

Could anyone point out any pitfalls I need to be aware of, or if I'm going 
about things the wrong way?

Thanks

Kevin
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: Preventing direct URL access in a J2EE environment, Roberto GABERGI <=
Previous by Date:  Paros 3.2.1 release, contact
Next by Date:  Announcement: The Web Security Mailing List, contact
Previous by Thread:  Paros 3.2.1 release, contact
Next by Thread:  Announcement: The Web Security Mailing List, contact
Indexes:  [Date] [Thread] [Top] [All Lists]