Of late I have been diving deep into web application security. While browsing I found WebScarab Tool from OWASP which can inject possible attack in to your web application and make your application vulnerable.
I am using that tool to intercept any request which goes through my web application based on JSF 1.2 Framework. While using I observed that whatever values are entered in form fields are shown as it is HttpRequest in this tool.You can modify these values and it will automatically create a new request header and strikingly the modified values will be inserted into the DB.
Isn’t it a potential attack? I mean anyone can intercept any HttpRequest and modify the parameter with the help of a tool and inject some malicious content,
My questions are:
- Is it possible for everyone to intercept HttpRequest generating from any webpage, say stackoverflow.com?
- If yes, how can you avoid these modification by an unknown user who can modify the parameter and remake the encoded URL?
- If no, please explain why? I am absolutely numb?
WebScarab is a proxy:
But this requires the client (e.g. your web browser) to actually use the proxy:
So only the communication of clients that use the WebScarab proxy can be intercepted.