ASP security flaws

[zakdugas]

We are using a java app to pass the parameters via URL to an asp page to generate a CR report. (don't ask!!! hehehehe)

What alternatives do we have to using the querystring?

I was thinking more in the lines of the java app posting the data to the server and the asp page taking the values into hidden text fields. What do you think of this as a solution?

 

[onpnt]

If you are really worried about it you should have the java application use a data store in which the ASP page can access once it is loaded for the required values.

If the values are limited even a flat file would work but if they are costly in size and number then you should use a database

[sub]____________ signature below ______________
The worst mistake you'll ever make is to do something simply the way you know how while ignoring the way it should be done[/sub]

 

[Sheco]

Perhaps your java app is able to "roll its own" HTTP Request... independant of any HTML form. If so you could put the values into the body of a POST request instead of the QueryString. I guess you could also encrypt it by using HTTPS instead of plain HTTP. From the ASP side the values would appear in the Request.Form collection just as if they had been hidden fields on an HTML form.