Menu
I'm reasonably confident I know the answer to this, but am struggling to find any concrete information out there. I'm aware that the client submits requests to an http server optionally supplying reqeust parameters. The server has the additional capability to store information in request attributes via Objects. My question is, does the client have any access to the attributes in an http request object? We have a lot of poorly written code which looks something like this:
if (request.getAttribute("name") != null)
name = request.getAttribute("name);
else if (request.getParameter("name") != null)
name = request.getParameter("name");
I'm guess this is because the original developer didn't fully understand how client side http requests submitted data to the server. In any case, I'm currently working on implementing additional valiadation and encoding of request data to prevent XSS vulnerabilities and wondered if it was possible for the client to corrupt/hack/take advantage of request attributes (assuming they aren't ever populated with data sourced from the client)?
606
No. The attributes are something the servlet spec adds, and can be used to communicate between different entities operating on the request. They don't travel over the wire, so they don't exist client side.
The client can set the body, the parameters (i.e. the url) and the headers, and that's pretty much it.
See:
98
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
