Hi Jonathan, Thanks for talking the time!
Yes, an application error page is displayed on most of the attacks. I'm thinking on implement an input validation, where I can "catch" and "filter" the malicious values that trigger the error. I don't know if there is a generic way that Tapestry 4.1 can do that, or I'm missing something to avoid it. Some examples: SQL Injection malicious values like = %27%3B and \'%20having%201=1-- Cross-site Scripting values like = <script>.... </script> Making null some parameters. This malicious values, can be inserted on the sp parameters of an url, or even at hidden parameters within a form. Thanks, Adriana B Jonathan Barker wrote: > > Adriana, > > When you say your application "crashes" do you mean that the Tapestry > error > page is displayed? > > You can substitute in your own error page, but beyond that, what would you > want the behavior to be if invalid data is used? > > Jonathan > > On Tue, Jul 28, 2009 at 8:16 PM, Adriana B <albojorq...@yahoo.com> wrote: > >> >> Hi >> >> I have following issues on Tapestry 4.1.3, wonder if you can help me. >> >> While submitting the application to some security tests like >> >> - Modifying sp parameter on url generated by DirectLink >> - Removing "hidden" parameters under a form >> - Removing if_*** parameters under a form >> >> our application crashes, is there any way to validate and avoid this? >> >> Thanks, >> Adriana B >> -- >> View this message in context: >> http://www.nabble.com/Tapestry-4.1-How-to-protect-from-%22malicious%22-change-on-parameters--tp24710242p24710242.html >> Sent from the Tapestry - User mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org >> >> > > > -- > Jonathan Barker > ITStrategic > > -- View this message in context: http://www.nabble.com/Tapestry-4.1-How-to-protect-from-%22malicious%22-change-on-parameters--tp24710242p24746372.html Sent from the Tapestry - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
