Javascript Security Question....

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Javascript Security Question....

Post by tecktalkcm0391 »

If you have something on javascript that prints out a form like this:

Code: Select all

form = document.createElement("form");
form.setAttribute("method","post");
form.setAttribute("action","");
form.setAttribute("name","form");
form.setAttribute("id","form");

// First Name
name = document.createElement("input");
name.setAttribute("type","text");
name.setAttribute("name","name");
name.setAttribute("value","name");
form.appendChild(first_name);
Can a user somehow edit these values and submit something eles like change the name input to chris ?
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

yes all of that is done on the client side so with the right tools, they could change it to whatever they want.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Since we're on the subject. What are some good security briefings(links) you guys might have to offer on web development?
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

Burrito wrote:yes all of that is done on the client side so with the right tools, they could change it to whatever they want.
The code changed bit all of the text oxes are hidden, and it is hidden in a layer. Can they still edit it? If so, with what?
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

Why bother playing with the Javascript, all one needs to do is send a HTTP request. You can't tell if its from your web page or a Perl script server-side which is why validating the user data is an absolute must.
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

Ahh, I see. I guess I am just going to obfusctate it to make it harder for them to understand then.
Buddha443556 wrote:Why bother playing with the Javascript, all one needs to do is send a HTTP request. You can't tell if its from your web page or a Perl script server-side which is why validating the user data is an absolute must.
Thank, you gave me an idea. What I am working on is something for paypal, and now I got how to verify it. I am going to use the IPN infomation posted back to check and make sure everything that WAS enter correctly comes back as what it should be, and if not i'll just void the transaction.
Post Reply