On Wed, 4 Dec 2002, Price, Erik wrote:
> Date: Wed, 4 Dec 2002 10:36:49 -0500 > From: "Price, Erik" <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: hiding servlet URLs in JSPs > > Hi, simple question (I hope): > > Does it really matter if someone can see the naked path to a servlet in the > "action" attribute of an HTML <form> tag? I mean, if I have this form: > > <form method="POST" action="./servlet/SomeServlet"> > <!-- some input tags go here --> > </form> > > anyone can see the URL to my servlet and attempt to send it data directly. > At first I thought that this was a security problem and that I should > obfuscate the path to the servlet somehow, but on second thought it strikes > me that this is no different than someone seeing the path to a CGI script in > a form either. > It is definitely true that malicious people can see the destination URL and might try to maliciously send data. Your application needs to include measures to prevent this from causing you grief. It is definitely not true that obfuscating the destination URL would make a bit of difference -- your attacker can still see the obfuscated URL in the action attribute of the <form> element, and make exactly the same attack. > Any advice? > > > Erik > Craig -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
