Manage

Web application variable manipulation

Learn what happens to a Web application that uses two certificates: a client-side SSL certificate and a server-side certificate, and whether this certificate combination prevents Web application manipulation.

Michael Cobb

What happens if a Web application uses client-side SSL certificates in addition to server-side certificates? Is Web application variable manipulation still possible?

Unfortunately, Web application variables can still be manipulated even when both client and server are using digital certificates to authenticate themselves and establish an SSL connection. In order to manipulate Web application variables an attacker uses an HTTP proxy tool. By adjusting the client's browser's proxy settings to pass through the HTTP proxy, all HTTP and HTTPS requests and responses can be channelled through the proxy before being forwarded to the server. This gives the attacker a window to view and alter all information passed in the browsing session, including any variables passed by the application in cookies, hidden form elements and URLs. The main threat from these proxy tools is they enable attackers to view and edit the information sent from the client to the server.

Not all "man-in-the-middle" proxy tools can handle SSL sessions when the client and the server use certificates, because they can't store the client certificate for handshaking or logon. However, if they import the required client certificate prior to handshaking or logon, the Paros Proxy can intercept and modify HTTPS data, even when applications require a client certificate. Although the client and the server may be trusted, the attacker can modify any part of the request and response before forwarding it.

Paros is a very powerful program and can be used to evaluate the security of Web applications. It is free of charge and completely written in Java. It has several tools including a record feature, which keeps a history of all HTTP requests and responses. This feature allows the developer or attacker to review all of the actions, pages and variables. It also includes automated vulnerability scanning and detection capabilities for some common Web application attacks, including SQL injection and cross-site scripting. Paros also scans for unsafe Web content, such as unsigned ActiveX controls and browser exploits sent by the target Web server. For more information about Paros visit the Web site at http://www.parosproxy.org.

More Information

Visit our Web application security resource center for news, tips and additional expert advice.

Learn how to improve Web site security by securing Web applications from authenticated users and avoiding client-side authentication.

This was last published in December 2005

Dig Deeper on Web application and API security best practices

Related Q&A from Michael Cobb

How to prevent software piracy

Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading

What is shellcode and how is it used?

Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading

How to prevent port scan attacks

The popular port scan is a hacking tool that enables attackers to gather information about how corporate networks operate. Learn how to detect and ... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

SearchCloudSecurity

Google Cloud security gets boost with Secret Manager

Google Cloud's new Secret Manager service augments its cloud security capabilities with an eye toward the needs of DevOps teams.

Microsoft misconfiguration exposed 250M customer service records

Microsoft exposed 250 million customer support records on five Elasticsearch servers that had misconfigured Azure security rules,...

Lyft's open source asset tracking tool simplifies security

Security teams need information and context about data in order to keep it safe. Learn how Cartography, Lyft's open source asset ...

SearchNetworking

Explore 9 essential elements of network security

Network security isn't a one-size-fits-all strategy. Dive into the various segments of network security, and learn how they ...

Cisco Cyber Vision targets industrial IoT security

Cisco Cyber Vision is the networking company's latest product for industrial IoT security. The technology is based on software ...

3 ways SD-WAN can improve WAN performance

Learn how software-defined WAN technology can improve WAN performance and help branch offices deal with an increasing amount of ...

SearchCIO

How IoT, 5G, RPA and AI are opening doors to cybersecurity threats

In the second part of a series on CIOs preparing for cyberthreats in 2020, we look at how emerging technologies like IoT and the ...

Preparing for the new forms of cybersecurity threats in 2020

In the first part of a series on the new forms of cyberthreats in 2020, we're diving into the many infiltration points being ...

What is the state of CIO tenure today?

CIO tenure remains significantly lower than other C-suite positions, and according to experts, it's a result of the age of ...

SearchEnterpriseDesktop

Navigating the Registry Editor for Windows 10 desktop admins

The Windows 10 registry stores some critical desktop settings that IT pros should know how to edit, alter or even delete to ...

Windows 7 sunset gives PC market a boost in 2019

Does the growth of the PC market in 2019 reflect an increased appetite for the devices? Experts discuss the PC's role in the ...

EG Enterprise v7 focuses on usability, user experience monitoring

New features in EG Enterprise v7, set to launch soon, enable simulated and real user monitoring, automated diagnosis and new ...

SearchCloudComputing

Establish cloud visibility with Azure monitoring tools

Learn about the various monitoring services available on the Azure cloud platform. Use these tools for application performance ...

Learn best practices for cloud automation on Microsoft Azure

Check out these best practices for workload automation on Microsoft Azure. Review the tools and techniques that can free your IT ...

A look at AWS antipatterns: What not to do in the cloud

In this Q&A, Clive Harber, co-author of "Implementing Cloud Design Patterns for AWS," breaks down why traditional enterprises ...

ComputerWeekly.com

IR35 reforms are 'demonising' contractors and locking them out of work, chancellor warned

The CEO of online accountancy consultancy InniAccounts has written to the chancellor of the exchequer, Sajid Javid, to call for ...

NHS suffers fewer ransomware attacks, but threat persists

Ransomware attacks against the NHS have tapered off dramatically, according to statistics obtained under FoI legislation, but ...

AI is transforming the Nordic workplace – and it won’t stop there

Nordic startups are applying artificial intelligence to address workplace challenges, with HR and operations managers across the ...

Web application variable manipulation

Learn what happens to a Web application that uses two certificates: a client-side SSL certificate and a server-side certificate, and whether this certificate combination prevents Web application manipulation.

Dig Deeper on Web application and API security best practices

How do I configure Outlook Anywhere for specific external use?

How do I grant users outside the LAN access to OWA?

Are application security vulnerabilities slowing you down?

Publishing Exchange to the Internet via Web Application Proxy and ADFS

Related Q&A from Michael Cobb

How to prevent software piracy

What is shellcode and how is it used?

How to prevent port scan attacks

Have a question for an expert?

Start the conversation

0 comments

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

Google Cloud security gets boost with Secret Manager

Microsoft misconfiguration exposed 250M customer service records

Lyft's open source asset tracking tool simplifies security

SearchNetworking

Explore 9 essential elements of network security

Cisco Cyber Vision targets industrial IoT security

3 ways SD-WAN can improve WAN performance

SearchCIO

How IoT, 5G, RPA and AI are opening doors to cybersecurity threats

Preparing for the new forms of cybersecurity threats in 2020

What is the state of CIO tenure today?

SearchEnterpriseDesktop

Navigating the Registry Editor for Windows 10 desktop admins

Windows 7 sunset gives PC market a boost in 2019

EG Enterprise v7 focuses on usability, user experience monitoring

SearchCloudComputing

Establish cloud visibility with Azure monitoring tools

Learn best practices for cloud automation on Microsoft Azure

A look at AWS antipatterns: What not to do in the cloud

ComputerWeekly.com

IR35 reforms are 'demonising' contractors and locking them out of work, chancellor warned

NHS suffers fewer ransomware attacks, but threat persists

AI is transforming the Nordic workplace – and it won’t stop there

Dig Deeper on Web application and API security best practices

How do I configure Outlook Anywhere for specific external use?

How do I grant users outside the LAN access to OWA?

Are application security vulnerabilities slowing you down?

Publishing Exchange to the Internet via Web Application Proxy and ADFS

Related Q&A from Michael Cobb

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.