Comments inline.
After I read this thread and the "Get to Post" thread, I have to raise a
question that concerns me for quite long tiem: what are good/effcient ways
to protect your html page from hacked by users?
I was once handled over a task to download some dynamic text pages from a
national weather center to files. It has a login page and several pages for
selecting combo boxes or clicking on some radio buttons and finally the text
pages I want show up. Server side is cgi. I used a IE Web Browser component
in a simple Visual Basic program similating this whole process. It run about
12 hours and saved 30,000+ files. I was actually hacking the html page.
I WONT SAY IT IS HACKING BECAUSE THE PROGRAM WAS DOING THE SAME THING A
PERSON COULD HAVE DONE BUT FASTER. I WOULD HACKING AS SEEING THE HTML PAGES
NOT MEANT FOR YOU.
Maybe the above data is not sensitive, I ever seen html pages with
javascripts that after you enter your username and password, it will pull
all sorts of your account data from datek. You can even trade stock with
these user written html pages. These are cerntaily very sensitive data.
WERE THESE DATA SESITIVE IN THE SENSE THAT NOBODY SHOULD HAVE SEEN THAT. IT
IS UP TO THE ADMINISTRATORS TO CHECK WHETHER THERE SITE IS BEING USED FOR
THE PURPOSE THEY ARE MEANT FOR BY LOOKING AT THE LOGS OR ... WHAT I AM
SAYING ONE CAN WRITE A SCRAPPER WHICH CAN TAKE CONTENT FROM WEBSITES AND PUT
THEM IN DATABASE AND SHOW THEM AS THERE OWN....IT IS DIFFICULT TO AVOID
ESPECIALLY IF SCRAPPER IS WRITTEN SMARTLY TO AVOID THESE CATCHES.
WHAT I WOULD SAY THAT IF YOUR SITE IS SUCH THAT IT CAN BE "HACKED" BY USER
IT CAN BE DONE BY PROGRAMS TOO.
Will the HttpSession from the servlet engine make the life easier for
servlet to detect that a request is submitted from a hacked html page?
Or we have to use ad hoc method without any help from servlet container on
this
regard, such as server side cookies, always use post, encoding urls and etc?
Anyone out there doing such thing please share your experience.
Thanks
Bing
-----Original Message-----
From: Raj Kumar Jha
To: [EMAIL PROTECTED]
Sent: 10/30/00 10:44 PM
Subject: Re: Design and Validation opinion.
Hi Craig,
By validation I meant simple validations for form properly filled
or
not. It is a must to validate the data on the server end depending upon
the
need. Your observations are very true. hanks for correcting me.
Raj
----- Original Message -----
From: Craig R. McClanahan
To: [EMAIL PROTECTED]
Sent: Monday, October 30, 2000 11:51 PM
Subject: Re: Design and Validation opinion.
Raj Kumar Jha wrote:
> Hi,
> I suppose using javascript on the client side is a much better
way, in
> my opinion. You reduce the load on your server, network traffic and
thus
> gain in speed.
> Regards,
> Raj
>
Using client-side validation *only* is a good way to get your
application
hacked.
It is trivially simple to write a Java program (and only slightly harder
in
other languages :-) that submits an HTTP GET or POST request to your
application
on its own, which therefore bypasses all of your careful client-side
editing
tests.
Client-side editing is useful in improving your user interface (because
you
can
react to certain classes of errors more quickly), but you should
consider
server-side validation of everything to be mandatory for any serious
application.
Craig McClanahan
________________________________________________________________________
___
To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
________________________________________________________________________
___
To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
