Manage

Web application variable manipulation

Learn what happens to a Web application that uses two certificates: a client-side SSL certificate and a server-side certificate, and whether this certificate combination prevents Web application manipulation.

Michael Cobb

What happens if a Web application uses client-side SSL certificates in addition to server-side certificates? Is Web application variable manipulation still possible?

Unfortunately, Web application variables can still be manipulated even when both client and server are using digital certificates to authenticate themselves and establish an SSL connection. In order to manipulate Web application variables an attacker uses an HTTP proxy tool. By adjusting the client's browser's proxy settings to pass through the HTTP proxy, all HTTP and HTTPS requests and responses can be channelled through the proxy before being forwarded to the server. This gives the attacker a window to view and alter all information passed in the browsing session, including any variables passed by the application in cookies, hidden form elements and URLs. The main threat from these proxy tools is they enable attackers to view and edit the information sent from the client to the server.

Not all "man-in-the-middle" proxy tools can handle SSL sessions when the client and the server use certificates, because they can't store the client certificate for handshaking or logon. However, if they import the required client certificate prior to handshaking or logon, the Paros Proxy can intercept and modify HTTPS data, even when applications require a client certificate. Although the client and the server may be trusted, the attacker can modify any part of the request and response before forwarding it.

Paros is a very powerful program and can be used to evaluate the security of Web applications. It is free of charge and completely written in Java. It has several tools including a record feature, which keeps a history of all HTTP requests and responses. This feature allows the developer or attacker to review all of the actions, pages and variables. It also includes automated vulnerability scanning and detection capabilities for some common Web application attacks, including SQL injection and cross-site scripting. Paros also scans for unsafe Web content, such as unsigned ActiveX controls and browser exploits sent by the target Web server. For more information about Paros visit the Web site at http://www.parosproxy.org.

More Information

Visit our Web application security resource center for news, tips and additional expert advice.

Learn how to improve Web site security by securing Web applications from authenticated users and avoiding client-side authentication.

This was last published in December 2005

Web application variable manipulation

Learn what happens to a Web application that uses two certificates: a client-side SSL certificate and a server-side certificate, and whether this certificate combination prevents Web application manipulation.

Dig Deeper on Web application and API security best practices

Security Think Tank: In-depth protection is a matter of basic hygiene

The security risks of HTTPS inspection in the cloud

Responsible disclosure of latest named vulnerability, 'httpoxy'

How do I configure Outlook Anywhere for specific external use?

Related Q&A from Michael Cobb

How to send secure email attachments

The risks and effects of spyware

Symmetric vs. asymmetric encryption: Decipher the differences

SearchCloudSecurity

6 AIOps security use cases to safeguard the cloud

Implement Kubernetes for multi-cloud architecture security

Google forms cyber insurance pact with Allianz, Munich Re

SearchNetworking

Wi-Fi 6 rollout requires careful review of network devices

How cloud-native networking will transform infrastructure

The role of network observability in distributed systems

SearchCIO

Enterprise architecture has business's ear at Scottish Water

4 IT contract negotiation strategies to drive value in 2021

Turning data into actionable insights with machine learning

SearchEnterpriseDesktop

Incorporating zero trust into endpoint security

Keeping tabs on employees in the hybrid workplace

Top 6 endpoint security software options in 2021

SearchCloudComputing

Choose the right serverless container service

IBM boosts vertical cloud push with financial services cloud

Open source cloud platforms and tools to consider

ComputerWeekly.com

CMA provisionally clears merger of Virgin and O2

Tesco reports online sales surge, advances digital platform

UK employees’ adaptation to Covid workplace creates digital transformation dilemma