Announcement Announcement Module
Collapse
No announcement yet.
Prevent access via entering url in address bar of browser Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Prevent access via entering url in address bar of browser

    I only want to allow requests that originate from an application event. For example, clicking on a link in the application or submitting a form for processing.
    I don't want to allow the user to just enter a url in the browser address bar after they have been authenticated.

    For example, a user accesses a search page which returns a list of orders which they are authorized to view. Each order is accessed by clicking on a link which brings up the order detail. The link contains the order id which uniquely identifies the order. A malicious user could simply start entering order detail url's with different order id's. In this case, I would have to add authorization code prior to returning an order to ensure the user was authorized to view that order.

    I know ACEGI offers ACL (access control list) authorization, and I know there are other ways to authorize access, but I want to try and reduce the number of authorization points I have to manage.

    I know one solution would be placing a dynamic token in the url and verifying it against a token in the session. If they match, then allow access, else deny access. Struts had something like this built in to their <html:link .../> tags and the <html:form .../> tags.

    The bottom line is that all events should originate from the application, otherwise they should be considered malicious.

    Any ideas, references, or experiences would be appreciated.

    Thanks.

  • #2
    I am a newbie to spring, but I'd suggest to put ur jsp or view stuff under WEB-INF making it non public. I can be wrong :-)

    Comment


    • #3
      To make it a *little* bit more difficult, make all your controllers only accept posts instead of gets. Anything entered into the URL in a browser is sent as a post....

      To be honest, I think it would be better for you to deal with the security issue instead of ignoring it This all seems very fragile and a bit nasty

      Comment


      • #4
        > Anything entered into the URL in a browser is sent as a post.

        He means sent as a GET :-)

        You could try and use the transactional token approach, but that's really designed to solve a slightly different problem - preventing re-submissions of form data - and it might have some unexpected side effects (for instance, if your app. has any cacheable GET requests you'll get stale tokens from proxies, if your user has 2 browser windows open they'll both refer to the same session and overwrite each other's tokens, etc).

        I think yatesco is right; you need to deal with the security requirement. If you've already got code somewhere that checks whether a user has access to a given order, it shouldn't be too hard to stick it in a filter in front of the 'edit order-detail' pages (assuming order-details know their orders in your domain model) and return an HTTP 403 if they haven't got access.

        Comment


        • #5
          Referrer

          YOu can also check the referrer http header, and check if the page hit came from the application or not. Very few users disable this header field in their browser

          Comment


          • #6
            This is probably a bizarre idea but you could one-time encrypt the query parameter of the link with values that they will always be different even for the same item of data - a sort of SSL at the parameter level. It would be improbable that a user can change the parameter values and expect them to work.

            You have the problem of an encrption and decryption algorithm tho' ...

            I'd be interested in what approach you decide to use.

            Comment


            • #7
              Yes, I did mean GET

              Comment


              • #8
                The way I do it:-

                1) I have a filter that sits in front of the app that calls into a permissions model that can be configured via XML for page level restrictions (as well as finer grained control if required)
                2) JSPs are all inside WEB-INF so they cannot be viewed outside the control of Spring.

                Bob

                Comment


                • #9
                  Originally posted by ybardavid
                  YOu can also check the referrer http header, and check if the page hit came from the application or not. Very few users disable this header field in their browser
                  That's fairly useless IMO, since the OP is talking about malicious users. The first thing a malicious user would do is turn off the referrer header (as well as JavaScript though that's a different discussion).

                  Bob

                  Comment


                  • #10
                    Originally posted by jvictor
                    I am a newbie to spring, but I'd suggest to put ur jsp or view stuff under WEB-INF making it non public. I can be wrong :-)
                    I already secure my content using Container Manage Security.
                    I'm trying to solve a different problem.

                    Please re-read my post. Thank you for your suggestion though.

                    Comment


                    • #11
                      Originally posted by yatesco
                      To make it a *little* bit more difficult, make all your controllers only accept posts instead of gets. Anything entered into the URL in a browser is sent as a post....

                      To be honest, I think it would be better for you to deal with the security issue instead of ignoring it This all seems very fragile and a bit nasty
                      Thanks. But this solution is not acceptible in my circumstance.
                      It could also be spoofed. For example, Canoo WebTests can send a POST request to any url once authenticated.

                      Comment


                      • #12
                        Re: Prevent access via entering url in address bar of browser

                        Thanks to all who replied. I'm going to do some more research. Unfortunately (and as suggested), I'll have to deal with the authorization issues per request use case. I was really hoping to have a blanket solution that would prevent a user from fishing around an application after they were authenticated.

                        Thanks again.

                        Comment


                        • #13
                          Use interceptors

                          Some of the suggested solutions can be implemented once per the entire application by using an intercaptor.

                          Comment


                          • #14
                            secure data

                            I am pretty sure I understand your question, but I don't quite understand your example.

                            I think you are saying that someone could enter order ids and pull up other people's orders. I know that some programmers simply use a big hard guess random number (like an MD5 hash) to identify particular orders, instead of using a numerical index. However, the issue you describe makes me believe that the data is not secure to begin with, so I doubt an "authorized URL" will have a desired effect.

                            My suggestion is to consider who creates the data, who owns the data, who can modify the data and who can utilize the data. Make sure that only the rules can be followed. In my opinion, it is better to keep things such as customer orders, etc (that are accessible by your customers of your web site ) -> static and not dynamic. And only an authorized user could actually access the data.

                            IE, your web server is *not* an authorized user.

                            It is a seriously insanely bad idea to keep a full customer database on the same server as "the web site" anyhow.

                            I know you didn't elaborate on all this stuff, it just came to my mind and I thought I would comment on it.

                            Take care

                            Waitman
                            Last edited by waitman; Nov 15th, 2005, 01:49 AM.

                            Comment


                            • #15
                              I don't know if I fully understood your problem. You could use some kind of "token". Your navigation starts with "1" and sequentially increase it with every controller method.

                              You should carry the token in a hidden field, and compare the token with the expected token in the session. I mean:

                              Page 1. Your user logins. Set the token to 1 in the session and to 1 in the hidden field.
                              Page 2, 3, 4... Increase the token in the session and compare it to the token in the hidden field. If equals, continue, else, raise exception.

                              If the user enters an URL, the token will not be the same as the session, and you'll be able to detect this.

                              In Spring, this could be -quite- easily be implemented in an interceptor. I recall Struts having something like this. OTOH, you should carry along the token hidden field on all your pages, links and forms...

                              Regards,
                              Esteve

                              Comment

                              Working...
                              X