Menu
I know that a POST can be spoofed in terms of originating domain, but what about being able to change the variables of the hidden POST variables in my HTML? I am concerned that someone could alter the "amount" value in my PayPal form from this:
<input type="hidden" name="amount" value="1.00">
to this:
<input type="hidden" name="amount" value="0.01">
or something similar. Thanks.
296
Yes, it is trivially easy for anyone to modify your form variables. Whether they are GET or POST doesn't matter at all.
Web security rule #1: Never trust any user input. Also stated as "All users are malicious hackers" or some variant thereof.
answer to comment: The solution is to know all of the correct values on the server side, without having to pass them through the client side (Javascript). So regardless of what the form says, you already know the price. Just use the same value you used to populate the form in the first place.
131
Update 2020:
OWASP covers this topic in "Injection Theory", where applications accept data from untrusted, uncontrolled, or potentially compromised sources.
Injection is an attacker’s attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter.
Review this OWASP "cheatsheet" for an overview of mitigations that can be implemented to better secure REST based endpoints.
Yes, it is very simple to do with browser inspector tools, JavaScript, cURL and other tools.
You shouldn't rely on the amount field being what you'd initially transmitted in the response to the client. A more secure approach would be to rely on an identifier for an item, which you can map to a price on the server (a more controlled environment).
13
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
