-1

Am working on JSF2 web application, running the web application in Firefox with Tamper Data tool to test its vulnerability.

When the USer/hacker changes the data for input text or change the multiple selects via Tamper data.

Is there any component in JSF, which can check for this potential hack and check the values that have been changed. I was thinking if anything can be done with PhaseListener, can anybody help with some pointers here.

Joy Chowdhury
  • 73
  • 1
  • 10

1 Answers1

1

When the User/hacker changes the data for input text ...

I'm absolutely not understanding why this would be a problem. Perhaps you're talking about disabled or readonly inputs? Well, you don't need to worry about this. JSF will already skip processing when the input has readonly="true" or disabled="true" attributes set in server side.

... or change the multiple selects via Tamper data.

You also don't need to worry about this. JSF will already validate the selected item(s) against the list of available items and generate a Validation Error: Value is not valid in case one of the items doesn't match.

All in all, I have a strong impression that you actually never tried/tested it yourself. You'd better do so before asking a rather rhetorical question and sit back doing nothing.

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • 1
    BalusC just beat me to it. In addition if you are afraid of 'man-in-the-middle-attacks', just use https, the only good solution. Most likely your are asking this because this HDIV thing... _" Integrity : HDIV guarantees integrity (no data modification) of all the data generated by the server which should not be modified by the client (links, hidden fields, combo values, radio buttons, destiny pages, etc.). Within HDIV this kind of data is known as non editable data. Thanks to this property HDIV helps to eliminate most of the vulnerabilities based on the parameter tampering. "_ – Kukeltje May 26 '15 at 07:49
  • 1
    (part 2) Client-side javascript frameworks need thisi, but JSF was designed with security in mind. Everybody that hates jsf for the server-side state stuff will need to fall back to using something like HDIV or make their server side code more complex. That is why JSF is *good* – Kukeltje May 26 '15 at 07:49
  • @Kukeltje: I've always found that amusing :) – BalusC May 26 '15 at 08:00
  • Well , might be i have not phrased my question correctly...So can you pls. help me in understanding that by using PhaseListener can we get the old value and the new updated value of the input component (text/textarea) . As from Render View Phase,I debugged and found out that i am only getting the updated value , not the old value..i need a way to compare the old and new value – Joy Chowdhury May 26 '15 at 19:42
  • With what purpose, exactly? And no, a phase listener is the wrong tool for the job. There's another listener for that, but you'd better first tell the actual functional requirement so that the right solution can be answered. So far now it still sounds like you simply need `readonly="true"` or `disabled="true"` if all you want is an uneditable input field, as indicated by the question in its current form. – BalusC May 26 '15 at 19:52
  • My functional requirement is "If the User submits its JSF page where the user has done some actions like .select some checkbox or write some input in textbox, his inputs should not be tampered in any way ( before it reaches the server.. values should not change), and if in case it happens then it should be logged and redirected to security violation error page." Hope you understood my problem here. – Joy Chowdhury May 27 '15 at 19:32
  • Apart from (multi)select components (for which JSF has already builtin validation), this can't be checked from server side on. With no single server side language. JavaScript can assist in that, but this can in turn also be spoofed. If you want to prevent man-in-the-middle attacks (e.g. attacked proxy or router which manipulates the HTTP traffic), just use HTTPS instead of HTTP. – BalusC May 27 '15 at 19:56
  • thanks @BalusC, ..i have a query..if i use valuechangelistener for the said component so can i then check the old and new value to check if there has been a spoof. – Joy Chowdhury May 28 '15 at 19:38
  • No. It only compares current model value in server side with new submitted value coming from the client side. It doesn't detect man in the middle attacks. For that, just use HTTPS to prevent it. – BalusC May 28 '15 at 19:39
  • I gather that all this information is not acceptable, or that you actually don't *want* to understand? – BalusC May 29 '15 at 05:49