Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to prevent hacking if users change html/javascript variables on client side?

Tags:

Using a simple tool like FireBug, anyone can change javascript parameters on the client side. If anyone take time and study your application for a while, they can learn how to change JS parameters resulting in hacking your site.

For example, a simple user can delete entities which they see but are not allowed to change. I know a good developer must check everything on server side, but this means more overhead, you must do checks with data from a DB first, in order to validate the request. This takes a lot of time, for every action someone must validate it, and can only do this by fetching the needed data from DB.

What would you do to minimize hacking in that case?

A more simple way to validate is to add another parameter for every javascript function, this parameter must be a signature between previous parameters and a secret key.

How good sounds the solution above to you?

Our team use teamworkpm.net to organize our work. I just discovered that I can edit someone else tasks by changing a javascript function (which initially edit my own tasks).

like image 459
Sorin Avatar asked Jul 06 '10 13:07

Sorin


People also ask

Can hacker change JavaScript?

This kind of attack can be used to exploit possible security flaws on the client-side. The attacker can change the data, hijack the session and make arbitrary JavaScript changes on the page, therefore compromising the security of the original code.

Is client side JavaScript secure?

In short, JavaScript client-side applications are not 100% safe. The main reason is that there is no full control of the client-side as it is executed in the browser. Those with advanced skills can have access to critical information on the frontend and expose vulnerabilities.

Can users modify JavaScript?

As you self mentioned before, the user easily can manipulate your javascript, and also he can read everything in javascript, the secret key, too! You can't hide anything in JavaScript, the only thing you can do is to obscure things in JavaScript, and hope nobody tries to find out what you try to hide.


1 Answers

when every function call to server, in server side before you do the action , you need to check if this user is allowed to do this action.

It is necessary to build server-side permissions mechanism to prevent unwanted actions, you may want to define groups of users, not individual user level, it makes it easier.

like image 169
Haim Evgi Avatar answered Oct 14 '22 08:10

Haim Evgi