Re: prevent client request being intercepted for attack
Thanks guys for the feedback and clarification. *Thanks And RegardsSibi.ArunachalammCruncher* On Fri, May 27, 2022 at 6:06 PM Martin Terra < martin.te...@koodaripalvelut.com> wrote: > If you browse with a ZAP associated browser then I assume the https > connection is with ZAP. > > You should only be concerned if you browse with a different browser than > one associated ZAP and then same occurs. > > ** > Martin > > pe 27. toukok. 2022 klo 12.46 Arunachalam Sibisakkaravarthi ( > arunacha...@mcruncher.com) kirjoitti: > > > We Use HTTPS with TLS. > > Our app has login authentication. > > I am not sure whether it is valid concern or not > > I just explain the steps that I followed > > > > 1. Wicket app runs on 8443 with https with tls > > 2. Owasp ZAP tool runs on 8080 > > 3. Start a browser from ZAP with configured app url eg: > > https://localhost:8443 > > 4. Login page is displayed > > 5. Entered credentials and login successful > > 6. I have a form with a name text field and an ajax submit button > > 7. Enter a value "Foo" into name field > > 8. Click the break point in ZAP > > 9. Then click the ajax submit button > > 10. Now the request details shown in clear text on ZAP window (eg: > > _csrf=fc786e60-6be2-5ce3-9f8a-f98679c3bf0d&p%3A%3Aname=Foo) > > 11. I changed the name value to "Bar" in ZAP > > 12. Now I click a button in ZAP to proceed the request > > 13. It is saved successfully with the value "Bar" in the Wicket > > application. > > > > Here the user entered "Foo" whereas in the application "Bar" stored. > > > > Is this a valid concern? > > > > > > > > > > *Thanks And RegardsSibi.ArunachalammCruncher* > > > > > > On Fri, May 27, 2022 at 4:20 PM Korbinian Bachl < > > korbinian.ba...@whiskyworld.de> wrote: > > > > > Use HTTPS with TLS > > > > > > Also note: if you or your service operates within the EU and you dont > > > secure this via encryption you are violating the GDPR! > > > > > > > > > - Ursprüngliche Mail - > > > > Von: "Arunachalam Sibisakkaravarthi" > > > > An: "users" > > > > Gesendet: Freitag, 27. Mai 2022 09:27:14 > > > > Betreff: prevent client request being intercepted for attack > > > > > > > Hi guys, > > > > Form submission requests can be intercepted using a third party tool > > (eg: > > > > ZAP) to change the data. Is there a way to prevent this attack? How > do > > we > > > > validate data integrity? > > > > > > > > > > > > > > > > *Thanks And RegardsSibi.ArunachalammCruncher* > > > > > > - > > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > > > > > >
Re: prevent client request being intercepted for attack
If you browse with a ZAP associated browser then I assume the https connection is with ZAP. You should only be concerned if you browse with a different browser than one associated ZAP and then same occurs. ** Martin pe 27. toukok. 2022 klo 12.46 Arunachalam Sibisakkaravarthi ( arunacha...@mcruncher.com) kirjoitti: > We Use HTTPS with TLS. > Our app has login authentication. > I am not sure whether it is valid concern or not > I just explain the steps that I followed > > 1. Wicket app runs on 8443 with https with tls > 2. Owasp ZAP tool runs on 8080 > 3. Start a browser from ZAP with configured app url eg: > https://localhost:8443 > 4. Login page is displayed > 5. Entered credentials and login successful > 6. I have a form with a name text field and an ajax submit button > 7. Enter a value "Foo" into name field > 8. Click the break point in ZAP > 9. Then click the ajax submit button > 10. Now the request details shown in clear text on ZAP window (eg: > _csrf=fc786e60-6be2-5ce3-9f8a-f98679c3bf0d&p%3A%3Aname=Foo) > 11. I changed the name value to "Bar" in ZAP > 12. Now I click a button in ZAP to proceed the request > 13. It is saved successfully with the value "Bar" in the Wicket > application. > > Here the user entered "Foo" whereas in the application "Bar" stored. > > Is this a valid concern? > > > > > *Thanks And RegardsSibi.ArunachalammCruncher* > > > On Fri, May 27, 2022 at 4:20 PM Korbinian Bachl < > korbinian.ba...@whiskyworld.de> wrote: > > > Use HTTPS with TLS > > > > Also note: if you or your service operates within the EU and you dont > > secure this via encryption you are violating the GDPR! > > > > > > - Ursprüngliche Mail - > > > Von: "Arunachalam Sibisakkaravarthi" > > > An: "users" > > > Gesendet: Freitag, 27. Mai 2022 09:27:14 > > > Betreff: prevent client request being intercepted for attack > > > > > Hi guys, > > > Form submission requests can be intercepted using a third party tool > (eg: > > > ZAP) to change the data. Is there a way to prevent this attack? How do > we > > > validate data integrity? > > > > > > > > > > > > *Thanks And RegardsSibi.ArunachalammCruncher* > > > > - > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > >
Re: prevent client request being intercepted for attack
We Use HTTPS with TLS. Our app has login authentication. I am not sure whether it is valid concern or not I just explain the steps that I followed 1. Wicket app runs on 8443 with https with tls 2. Owasp ZAP tool runs on 8080 3. Start a browser from ZAP with configured app url eg: https://localhost:8443 4. Login page is displayed 5. Entered credentials and login successful 6. I have a form with a name text field and an ajax submit button 7. Enter a value "Foo" into name field 8. Click the break point in ZAP 9. Then click the ajax submit button 10. Now the request details shown in clear text on ZAP window (eg: _csrf=fc786e60-6be2-5ce3-9f8a-f98679c3bf0d&p%3A%3Aname=Foo) 11. I changed the name value to "Bar" in ZAP 12. Now I click a button in ZAP to proceed the request 13. It is saved successfully with the value "Bar" in the Wicket application. Here the user entered "Foo" whereas in the application "Bar" stored. Is this a valid concern? *Thanks And RegardsSibi.ArunachalammCruncher* On Fri, May 27, 2022 at 4:20 PM Korbinian Bachl < korbinian.ba...@whiskyworld.de> wrote: > Use HTTPS with TLS > > Also note: if you or your service operates within the EU and you dont > secure this via encryption you are violating the GDPR! > > > - Ursprüngliche Mail - > > Von: "Arunachalam Sibisakkaravarthi" > > An: "users" > > Gesendet: Freitag, 27. Mai 2022 09:27:14 > > Betreff: prevent client request being intercepted for attack > > > Hi guys, > > Form submission requests can be intercepted using a third party tool (eg: > > ZAP) to change the data. Is there a way to prevent this attack? How do we > > validate data integrity? > > > > > > > > *Thanks And RegardsSibi.ArunachalammCruncher* > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
Re: prevent client request being intercepted for attack
Use HTTPS with TLS Also note: if you or your service operates within the EU and you dont secure this via encryption you are violating the GDPR! - Ursprüngliche Mail - > Von: "Arunachalam Sibisakkaravarthi" > An: "users" > Gesendet: Freitag, 27. Mai 2022 09:27:14 > Betreff: prevent client request being intercepted for attack > Hi guys, > Form submission requests can be intercepted using a third party tool (eg: > ZAP) to change the data. Is there a way to prevent this attack? How do we > validate data integrity? > > > > *Thanks And RegardsSibi.ArunachalammCruncher* - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: prevent client request being intercepted for attack
Use https pe 27. toukok. 2022 klo 10.27 Arunachalam Sibisakkaravarthi ( arunacha...@mcruncher.com) kirjoitti: > Hi guys, > Form submission requests can be intercepted using a third party tool (eg: > ZAP) to change the data. Is there a way to prevent this attack? How do we > validate data integrity? > > > > *Thanks And RegardsSibi.ArunachalammCruncher* >
prevent client request being intercepted for attack
Hi guys, Form submission requests can be intercepted using a third party tool (eg: ZAP) to change the data. Is there a way to prevent this attack? How do we validate data integrity? *Thanks And RegardsSibi.ArunachalammCruncher*
