• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Javascript/Html Server side verification

#1
Hi all

ive been playing around and have a question that i just cant find a good answer.

I have a HTML and send it to my controller through javascript.
i have values in data-attributes

I have just realised that if i change a value of a data-attribute using google inspector and then click send this will be the value used.

So if i use a users ID in a data attribute ie data-userid="1" and example delete this user when i click on the send button through a javascript function user 1 is deleted well flaged as deleted as my users dont have delete permission

If change the data-userid="15" in the inspector the user 15 will be deleted once i click on the button

I have thaught of using some sort of hash or crypt on the user ID and have that in my data-userid="tre43sdf5486zrs6f46sg" like this

is there a better way around this

thanks hope im clear Smile
Reply

#2
I personally would check permissions on the server side with usergroups / roles.
So when I am logged in as Administrator group / role, I have permissions to delete users.

Am I an content editor? then I can not delete users (even if I know the route to the controller).
Reply

#3
(02-21-2018, 05:54 AM)Krycek Wrote: I personally would check permissions on the server side with usergroups / roles.
So when I am logged in as Administrator group / role, I have permissions to delete users.

Am I an content editor? then I can not delete users (even if I know the route to the controller).

great thanks that i have done.

first thing i do is check if its an ajax call
then i get the logged in user id and check if user is logged in and has permissions

but most users have the same permissions (ex. members) so they could alter information of one user via the html just by changing the values via inspecter.

lets say i have a friend suggestion.

<div id="suggestionid" data-suggested="123" > where 123 is the suggested user id
i get the data-attribute via javascript and send it to my controller but what if the user changes 123 to 178

178 will be the value sent to the controller

so how do i check this before taking action on the sent data

this is just a simple example but im sure users doing this will be able to manipulate a lot more
Reply

#4
There's isn't a way from preventing someone from taking pot-shots at your data. But you can obfuscate whats going on.
https://paragonie.com/blog/2015/09/compr...ion-in-php

You might want to consider using session data to pass sensitive info like user id instead of passing it in a url.
Reply

#5
(02-21-2018, 06:40 AM)dave friend Wrote: There's isn't a way from preventing someone from taking pot-shots at your data. But you can obfuscate whats going on.
https://paragonie.com/blog/2015/09/compr...ion-in-php

Ok sounds good what im thinking is creating to
send a crypted version of the user id instead using $this->load->library('encryption');

this gives a huge number but a user wanting to try change that value wont be very successful

then when data is sent i can decrypt the value and check it up agaisnt the value in the db

what you think

and is there a way to have shorter encrypted responces?
Reply

#6
Go back a read the article I linked. It's about why you DON'T use encryption in URL parameters. Instead you use a "random lookup" value.

You can make it shorter but that means there are fewer unique values raising the odds of a conflict and making it easier to use brute-force techniques.
Reply

#7
(02-21-2018, 08:01 AM)dave friend Wrote: Go back a read the article I linked. It's about why you DON'T use encryption in URL parameters. Instead you use a "random lookup" value.

You can make it shorter but that means there are fewer unique values raising the odds of a conflict and making it easier to use brute-force techniques.

ok great read it trough makes sence

thanks alot for your help
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.