0

I am sending form data to the Java backend server through form submit post method

I am sending important parameters like amount to the server. During testing process, testers using Burp suite software, change the parameters and updating some other amount to the server and state it as vulnerability issue

How to send these kind of parameters to server so that it cannot be changed by any middle man attack.

I have also deployed the application in https site. But still same issue occurs.

Javascript:

Inside the success function of an ajax call, i am submitting the form using below code, $( "#myForm" ).submit();

Java- Backend server

@Path("/saveFeeDetail")
    @POST
    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
    @Produces(MediaType.TEXT_HTML)

    //@JWTTokenNeeded
    public Response saveFeeDetails(@Context ServletContext context,@FormParam("toPayAmthid") String toPayAmt,@FormParam("pendingAmthid") String pendingAmt,@FormParam("feeIdhid") String feeId,@FormParam("feeTypehid") String feesTypeFd,@FormParam("payStatushid") String paymentStatus,@FormParam("studentIdhid") String stuId,@FormParam("paymentFlaghid") String flag,@FormParam("courseIdhid") String courseId,@FormParam("yearIdhid") String yearId,@FormParam("semIdhid") String semId,@FormParam("academicyearIdhid") String academicYearId,@FormParam("amountPaidhid") String amountPaid,@FormParam("paidAmounthid") String paidAmount,@Context HttpServletRequest request) {     
        getUserRegistrationServiceLog.info("UserRegistrationService getFeesDiscountByStudentID Process method starts here");

        
            List saveFeeDetailsList=null;
    

        NumberToWord number=new NumberToWord();
        String numberToText= number.convert(Integer.parseInt(amountPaid));

         saveFeeDetailsList =userregistrationConfigService.saveFeeDetailsById(stuId,toPayAmt,feesTypeFd,pendingAmt,paymentStatus,feeId,numberToText,courseId,academicYearId,yearId,semId,amountPaid,flag,paidAmount);
        
        getUserRegistrationServiceLog.info("UserRegistrationService Save Fee Details Process method ends here");

            //return Response.status(200).entity(saveFeeDetailsList).build();
           UriBuilder builder = UriBuilder.fromPath(context.getContextPath());
           HttpSession session=request.getSession();  

            builder.path("student/status.jsp");
            for(int i=0;i<saveFeeDetailsList.size();i++){
                           session.setAttribute("ReceiptNo",saveFeeDetailsList.get(1));  
                   session.setAttribute("BillText",saveFeeDetailsList.get(2));  

            }
            request.setAttribute("receiptList", saveFeeDetailsList);

            return Response.seeOther(builder.build(request)).build();
            
            
        
            
    }
mmathan
  • 273
  • 1
  • 5
  • 13
  • 1) Where is the Java in this? Post some code so we can see if the server side code is the problem, although I doubt it is. 2) Can you post any source code of how you send it? If your JavaScript posts via HTTP, it will still be unsafe. Maybe open the Chrome of FireFox debug view and check the Network tab, there you see how things are transported. 3) Users can usually mock API calls with thier browsers Debug mode easily. If there's unsafe stuff, you should always catch it on the server. – JayC667 Mar 20 '22 at 11:46
  • @JayC667 i have included code as you required. – mmathan Mar 20 '22 at 12:06
  • to see if your data has been modified you can hash your POST data to include the hash in the request and check server-side if hash is valid – bera Mar 20 '22 at 12:15
  • @bera Is there any link for reference to achieve it – mmathan Mar 21 '22 at 06:04
  • You can find more informations on how to secure post request following this [link](https://stackoverflow.com/questions/1008668/how-secure-is-a-http-post) (TL;DR use SSL, Encrypt data before posting the request). In my opinion is way easier to authenticate the user rather than trying to secure the posted data. – bera Mar 21 '22 at 22:48

0 Answers0