O'Reilly logo

Easy Web Development with WaveMaker by Edward Callahan

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Securing runtime service

WaveMaker's use of service variables insulates applications from SQL injection types of attack (http://owasp.com/index.php/SQL_Injection). However, use of the runtime service exposes a insert(), update(), read(), and delete() method for every imported table. This can create a significant vulnerability, including exposing the user login table when using database security.

For example, using curl (http://curl.haxx.se/), a command-line tool for making HTTP requests, we could perform an update of the customer table by POST'ing directly to the runtime service URL. Here, we update the customer record with customer ID 3 with bogus data

> curl -H "Content-type: application/json" -d '{"params":["custpurchaseDB", "com.custpurchasedb.data.Customer", ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required