Back to Security Pattern Catalog
: Core Security, Information Disclosure
E-commerce sites need to collect a great deal of data for each transaction. The web applications collect these data in multiple consecutive web pages. If an attacker can anticipate the URI of the web pages that he has to traverse, then he can bypass some of the validation checks.
How can the attacker be restricted from jumping between URLs in a session ?
Expose a single URL to the user. Provide access to all pages relevant to a session from that URL. Initially serve the home page. Store session data in the server to determine which page to serve next. Enforce the path that a client can take during navigation.
Amazon.com’s checkout process.
Kienzle et. al. Repository
Session, User Interface
Last modified: May 05, 2012
and Maintained by: Munawar Hafiz