Page 1 of 1
Javascript Security Question....
Posted: Wed Feb 07, 2007 9:18 pm
by tecktalkcm0391
If you have something on javascript that prints out a form like this:
Code: Select all
form = document.createElement("form");
form.setAttribute("method","post");
form.setAttribute("action","");
form.setAttribute("name","form");
form.setAttribute("id","form");
// First Name
name = document.createElement("input");
name.setAttribute("type","text");
name.setAttribute("name","name");
name.setAttribute("value","name");
form.appendChild(first_name);
Can a user somehow edit these values and submit something eles like change the name input to chris ?
Posted: Wed Feb 07, 2007 9:35 pm
by Burrito
yes all of that is done on the client side so with the right tools, they could change it to whatever they want.
Posted: Wed Feb 07, 2007 9:40 pm
by JellyFish
Since we're on the subject. What are some good security briefings(links) you guys might have to offer on web development?
Posted: Wed Feb 07, 2007 9:46 pm
by Luke
Posted: Sat Feb 10, 2007 12:24 am
by tecktalkcm0391
Burrito wrote:yes all of that is done on the client side so with the right tools, they could change it to whatever they want.
The code changed bit all of the text oxes are hidden, and it is hidden in a layer. Can they still edit it? If so, with what?
Posted: Sat Feb 10, 2007 1:06 am
by nickvd
Posted: Sat Feb 10, 2007 1:37 am
by Buddha443556
Why bother playing with the Javascript, all one needs to do is send a HTTP request. You can't tell if its from your web page or a Perl script server-side which is why validating the user data is an absolute must.
Posted: Mon Feb 12, 2007 3:38 pm
by tecktalkcm0391
Ahh, I see. I guess I am just going to obfusctate it to make it harder for them to understand then.
Buddha443556 wrote:Why bother playing with the Javascript, all one needs to do is send a HTTP request. You can't tell if its from your web page or a Perl script server-side which is why validating the user data is an absolute must.
Thank, you gave me an idea. What I am working on is something for paypal, and now I got how to verify it. I am going to use the IPN infomation posted back to check and make sure everything that WAS enter correctly comes back as what it should be, and if not i'll just void the transaction.