Announcement Announcement Module
No announcement yet.
HTML tampering defense in SpringMVC Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • HTML tampering defense in SpringMVC

    There were already about this issue in forum, but it didn't rise to much attention between spring committers. I apologize for reposting this, but I think is really important and it seams as easy thing to implement.

    Spring already have some mechanism for detection of HTML tampering attack. Namely, DataBinder class has allowedFields property. If not allowed field arrive via HTTP request, than DataBinder detect it, and warn level log entry is created.

    I think that there should be an option to remember detected not allowed fields so that you can implement some logic (like session invalidation or/and logout) in controller in case when not allowed fields are submitted. This also requires exposing binder instance to controller. I manage to implement this via introduction of minor changes in DataBinder and BaseCommandController (I believe that changes are backward compatible). There is also JIRA entry about this.

    Last edited by robyn; May 16th, 2006, 03:26 AM.

  • #2
    I've attached the two affected Java classes to the related Jira issue:

    I hope it will be included in the forthcoming Spring 1.2.5

    Last edited by robyn; May 14th, 2006, 07:56 PM.