Protected Dynamic Web Pages from misused access

Sometimes you will want to protected your Dynamic Web Pages from misused (non-normal) access not related with access permissions. You will do it to avoid http traffic and database load for requests that are issued by the use of the web site or web application.

I will use the example of PL/SQL pages using the Oracle Web Toolkit and mod_plsql gateway. Distinct gateways or programming languages will have similar "web session" variables.

If a page can only be access by a POST form (for instance "password" forms or forms with documents upload) you should check it! (and naive use of the "bookmark page" could be the origin of calls using GET or a simple script program)
if owa_util.get_cgi_env( 'REQUEST_METHOD' ) ='POST' then
end if;

You can even check that the referer (the page where the form was submit) is from the expected site or is an specif page (the one(s) where you put the form)

If a page is only to be access by a AJAX check
OWA_UTIL.get_cgi_env ('X-Requested-With') is not null
In mod_plsql needs DAD configuration to have PlsqlCGIEnvironmentList X-Requested-With

These methods only avoid some fast hacking techniques and some naive misuse, an hacker can avoid that "security" if they know of it

Advice: show an error message exactly like the one you show if the user do not have access credentials or the password entered was wrong (in case of password forms) so the hacker will get in doubt about the origin of the error.

Versão em português do Post

No comments:

Post a Comment

Os comentários são moderados.
The comments are moderated.