security - Application integrity & url tampering -
People on my site can ask questions and reply can be posted. The question is that to answer a question that is on the / question / title example, the form is submitted on 7/7 of the question ID, along with the example ID / question/post_answer/7.
An answer has been entered here to ensure verification. If not, then you get back to the original URL. Therefore, the post_ answer path is not actually 'seen' by the users but they can use it clearly.
Now I am thinking that if a user changes the ID of the question 8, then he can answer another question.
Since all users have achieved actually is not a security issue, answering another question. But I am thinking - in this scenario, how do you manipulate such kind of URL: accumulating question ID in session and if there is a change, is showing error?
Thoughts?
The session is a way to use another one message authentication code (MAC). Normally you store the code in a cookie or in a portion of URL (i.e. a GET parameter).
Comments
Post a Comment