Han Nguyen
Han Nguyen

Reputation: 1

Can JDBC connection be attacked by CSRF?

For example, I have an application implementing JSP form and Java action which connect directly to database by JDBC. When I click to the "delete" button, this form will connect to database by JDBC (not HTTP) and delete the item in database.

Is it possible for my application be attacked by CSRF? Because it communicates with DB through JDBC instead of by HTTP?

I have searched the information about CSRF attack, almost of them describes the example of CSRF in case of having HTTP request in client side. So I really want to know that whether this attack can occur in JDBC or not.

Upvotes: 0

Views: 57

Answers (1)

Stephen C
Stephen C

Reputation: 719436

A CSRF attack cannot directly call the JDBC connection code. And it certainly cannot make its own JDBC connections ... unless you've done something else wrong. (Like making the connection parameters public and exposing the database IP address + port.)

However, a CSRF attack could cause a user's browser to unwittingly send an authorized request to the JSP that is indistinguishable from the user clicking the Delete button on the web page. That would cause the JSP to use JDBC to do a "delete" ... when it shouldn't.

So, you do need to concern yourself with CSRF attacks against your site.

Upvotes: 2

Related Questions