-1

I have a security concern about sending secure data (encrypted before sending request) to servlet. I tried to call the function that make encryption for password as example but I can't pass value from Java script to Java code in JSP.

<script>
 function login() {
  var password = document.getElementsByName("newPassword");
  console.log(password);
 }
</script>
</head>
<body>
 <form class="login" action="servlet example" method="Post">
  <h1 class="login-title">BSH Login</h1>
  <h3><%=request.getAttribute("message") != null ? request.getAttribute("message") : ""%></h3>
  <input type="text" class="login-input" name="username"
   placeholder="Bsh UserName" autofocus> <input type="password"
   name="passowrd" class="login-input" placeholder="Password"> <input
   type="submit" value="Login" onclick="login()" class="login-button">
 </form>

</body>

I seriously need to send encrypted data from JSP to servlet without HTTPS.

Matheus Lacerda
  • 5,983
  • 11
  • 29
  • 45
  • you would have to do this with javascript. Here's a good example: https://stackoverflow.com/questions/5782899/javascript-best-way-to-encrypt-data-with-password – Jonathan Laliberte Jun 05 '18 at 11:32
  • Js or any client script is vulnerable to security attacks, yet you can go for jCryption.js –  Jun 05 '18 at 11:34
  • @JonathanLaliberte Actually i want to execute java method encryption that i can import it in jsp file –  Jun 05 '18 at 11:35
  • https://stackoverflow.com/questions/2003262/how-to-send-password-securely-via-http-using-javascript-in-absence-of-https – Rafał Sokalski Jun 05 '18 at 11:35
  • the java code is executed before the user loads the page. This is why you can't do it with java. – Jonathan Laliberte Jun 05 '18 at 11:36
  • @Arvind I don't want to encrypt with js , there is utils in back end i should use –  Jun 05 '18 at 11:36
  • 1
    @ShaabanEbrahinAltnany, then you are left with Applets option –  Jun 05 '18 at 11:37
  • think about it this way... user enters in their password in their form... If you send this info to your server to encrypt, then it is venerable to man in the middle attacks. – Jonathan Laliberte Jun 05 '18 at 11:37
  • i made simple java script function that can print value with jsp tag so i can execute java code within javascript code . i want to get value from input and pass it to encryption method –  Jun 05 '18 at 11:37
  • @JonathanLaliberte No i will not send it clear . i want to execute method without dispatch just calling . from first i don't want to call server with clear values –  Jun 05 '18 at 11:39
  • 1
    @ShaabanEbrahinAltnany, java runs on server whereas js runs on web browser, java can't along with js, as said above, all you have is applets –  Jun 05 '18 at 11:39
  • @Arvind i know that but take a look on this code –  Jun 05 '18 at 11:42
  • when i clicked on button that call java script login function java prints the value Hiiiiiiii –  Jun 05 '18 at 11:43
  • @ShaabanEbrahinAltnany, forget about the script, even if you do `<%=new java.util.Date()%>` you will get server date time printed on the page, but that does not mean that java code was processed by your browser. –  Jun 05 '18 at 11:47
  • @Arvind yeah i know that java code isn't executed in browser , it runs on JVM and return result to server to show it –  Jun 05 '18 at 11:50
  • 1
    You can't make it more secure, a mitm attacker has the secret to the encryption if you don't use https, and if you do, there is no need for pointless encryption. So do use https. – zapl Jun 05 '18 at 11:51
  • i am using certificate with jks more highest secure . with public and private key . –  Jun 05 '18 at 11:58

3 Answers3

1

The correct (and possibly only) solution is to use HTTPS. This will establish a secure connection with the server to send the login request. Since all data sent over an HTTPS connection is encrypted, additional encryption of the password will be unnecessary.

Let us suppose that you wanted to use a non-secure connection (i.e. HTTP instead of HTTPS). Would it be possible to use encryption to send the password ... securely?

I think that the answer is No.

In this scenario, let Alice be the user, Bob be the server, and Carol be the person / agent trying to intercept the password.

Suppose that Alice sends an HTTP request to fetch the login page and Bob responds with a page with some embedded Javascript that will encrypt the user's password. Bob's javascript could even use public key encryption so that Carol1 could decrypt the password ... despite knowing the encryption key. (You would think ...)

Unfortunately, it is NOT secure. The problem is that Bob sent the page containing your javascript to Alice's web browser in the clear. Carol can use known network hacking techniques to change the response from Bob so that the page that Alice gets has a different version of the javascript. This version might sends the password in the clear, or might encrypt it with a different public key. This will result in Alice failing to login. But if Carol can also see the login request (because that also was sent via HTTP), then she can grab Alice's password. Indeed, Carol can force the request to be sent over HTTP.

This is an example of a "man in the middle" (MITM) security attack.

In short, if you don't do the entire interchange over HTTPS, any security mechanism that is embedded in the login page can be defeated.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
0

When using a web based request, as such. I would suggest using JSON Web Tokens, which can be found over here: https://jwt.io.

This program/tool will allow you to embed encrypted data and verify the data once sending and receiving (especially receiving). Feel free to read the documentation and implement it in either your Javascript or Java framework.

Remco Buddelmeijer
  • 377
  • 3
  • 8
  • whatever jwt i use i must encrypt as example password and put it in token . encryption must be handled with method in backend . by the way jsp and servlet in same project with encryption utils –  Jun 05 '18 at 11:41
0

Your question is not very clear.

If you want to send any credential(or generally anything) from client to server, the only option is https.

But if you are about passing some data from jsp to servlet, the internal request dispatcher is locally secure and has no deal with client. but if you redirect the between gateways, becasue you need client redirect calls, you still need https.

  • i want to send the values to servlet encrypted with method in utils in same project and decrypt it in servlet , did you get it ? –  Jun 05 '18 at 11:57
  • Again, if you like to send/receive any data between client and server, you need HTTPS –  Jun 05 '18 at 12:36