Have Geek Brain

Could what I am doing in my web application be easy to hack or break?

I present to the user several exams. Users do not have to go to the actual site before taking this exam. However, there will be some users who will have the option to bypass the exam until some date (for example, a month from today's date). Thus, these users have a month window to take the exam. until then, they can click "Continue" on the exam page to simply visit the site.

My logic: When regular users click the submit button on the exam form page, I execute all my logic and submit the DB information. When these "special" users click the Next button, I will simply bind "true" to the "didPassExam ()" method if they are still in this window for one month.

My question is to check which button is clicked by the user. I am doing the following (Struts 2 code).

private String submit;

public void setSubmit(String submit) {
    this.submit = submit;
}

And in the JSP:

 <s:submit name="submit" value="Submit" />

 <s:submit name="submit" value="Proceed" />

so basically when the user clicks the button my action class will know which button was clicked. But could some hacker intentionally change the Submit button to Continue and then bypass the exam, even for regular users?

Does anyone do it in a different and safer way?

0
java struts2 weblogic


a source to share


4 answers


Yes, any user can go through a special "Continue" and get access.



Since you can (and do) tell the difference between user types already, you should test their button on the server based on that. Client side checks can always be bypassed.

+8


a source to share


In general, you shouldn't trust input from a client. You must check on the server side that a specific user is eligible to skip the exam. Presumably, you know who the user is from the login process, and you know the correct logic to determine if they might miss an exam. Therefore, there is no reason to trust what the client is telling you.



+7


a source to share


Yes, it's easy to hack. Whenever you need to secure something, do a server side validation. That is, check the user type (this is similar to "Role" in the language) on the server side.

Always assume that any client code can and will be replaced by an attacker.

+3


a source to share


You will need to commit the pressed button and then confirm it against the user. Assuming your User is created as a user of a class variable and returns Boolean for the public isSpecialUser () method:

public void setSubmit(String submit) {
    if (user.isSpecialUser() && submit == "Proceed") {
        // Only Special Users can set this to Proceed
        this.submit = submit;
    } else {
        // Sets itself to the remaining valid option (to prevent evilness)
        this.submit = "Submit";
    }
}
+1


a source to share






More articles:


All Articles