Vaadin Security-是否有可能提出请求?
在vaadin应用程序中,我有用户登录名,然后将它们定向到一个视图,该视图根据用户的唯一ID显示了从数据库中获取的一些数据。他们可以继续查看其他视图以获取更多详细信息等。
在身份验证之后,这意味着他们可以访问API,是否有可能以某种方式更改请求使API故障并返回另一个用户的详细信息?
Vaadin如何保护它?是从客户端到服务器的通信,还是从视图到视图中使用POST请求进行的?
In a Vaadin application I have the user login and then they are directed to a View which presents some data fetched from the database based on a unique id of the user. They can continue to other views to get more details, etc.
After authentication, and that means that they have access to the API, is it possible to alter the request somehow like with Burp suite to send a different id to the View in order to make the API malfunction and return another user's details?
How does Vaadin protect against it? Is the communication from the client to the server, or from view to view happening with POST requests?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在进入文本字段时,我可以通过一些测试来看到通过Firefox WebTools发送到服务器的值。
但是,当使用其他服务器端控件时,就像日期选择器一样,我看不到传输的值。
因此,我猜服务器侧面控件对伪造是不受欢迎的。
该文档说:“与客户驱动的框架不同,流动应用程序永远不会将其内部曝光到浏览器中,在浏览器中,攻击者可能会滥用漏洞。”
因此,看来很安全,但是关于如何完成,我没有任何线索。
With some tests I run when entering something into a textfield I could see the value being send to the server through Firefox webtools.
However when using other server side controls,like a Date picker I could not see a value being transferred.
So I guess that server sided controls are immune to forgery.
The documentation says that "Unlike client-driven frameworks, a Flow application never exposes its internals to the browser, where vulnerabilities could be abused by an attacker."
So it seems secure but about how it is done I have no clue.