In a Vaadin application I have the user login and then they are directed to a View which presents some data fetched from the database based on a unique id of the user. They can continue to other views to get more details, etc.
After authentication, and that means that they have access to the API, is it possible to alter the request somehow like with Burp suite to send a different id to the View in order to make the API malfunction and return another user's details?
How does Vaadin protect against it? Is the communication from the client to the server, or from view to view happening with POST requests?
CodePudding user response:
With some tests I run when entering something into a textfield I could see the value being send to the server through Firefox webtools.
However when using other server side controls,like a Date picker I could not see a value being transferred. So I guess that server sided controls are immune to forgery.
The documentation says that "Unlike client-driven frameworks, a Flow application never exposes its internals to the browser, where vulnerabilities could be abused by an attacker."
So it seems secure but about how it is done I have no clue.