Google Chrome Inspect Element Issue With Hidden ID's

Question

I am not 100% sure if this is as big an issue has I seem to think it is right now but I think I may of found an issue or at else an hole within the Inspect Element viewer within Chrome.

I was using (I have now changed my settings) hidden ID's to set a number of defaults, one was users levels, another was to make the user active by default.

However when I view these ID's within the inspect Element view and then changed the values, submitting the form would submit the NEW value to the server and not the value I had given it.

For Example:

I had something like the following within my code,

    <input type="hidden" name="data[user][level][id]" value="1" id="MyID">

I then changed it within the Inspect view to,

    <input type="hidden" name="data[user][level][id]" value="2" id="MyID">

Then I submitted the form and was surprised that the NEW value was submitted, I was always under the inpresion that hidden ID's where not changeable and the browser should only submit the default values held within.

I have now changed this to letting the database default to a basic user and then I can change the users setting has I want to. But in some cases this may not be an option, so I was hoping for an answer or some feedback about how to make this more safe.

Am I just a bit slow, are there better methods (different ones) to passing 'hidden' data from forms to the server?

I was thinking about maybe using JQuery to add the needed hidden fields to the forms once the user had selected / submitted the form, but i am not sure if this is 100% safe or even if its a good idea.

Any ideas / feedback are very welcome.....

Many Thanks,

Glenn.

Answer 1

I had the same problem passing the database data into a modal,the solution i know is to use jquery ajax to get the informations from the database requesting a file,adding them into variables and compare the variables

    $.ajax({
  url: "test.html",
  context: document.body
}).done(function() {
  $(this).addClass("done");
});

I used this code sample to do it. Of course there are a few modifications to be done depending on your script

Answer 2

I found a better way of doing this, at lest in CakePHP. The CakePHP framework has inbuilt security calls. These in-built functions when added give you all sorts of stuff but the main reason I used them was to stop this sort of form tampering.

I am not 100% sure how it does this, but it adds a token to all forms and it checks to see if the form being submitted is right? Again not sure how the token works.

But here is the code I used ::

 public function beforeFilter() {
    $this->Auth->allow('index', 'SystemAccess');
    $this->Security->blackHoleCallback = 'blackhole';
 }

 public function blackhole($type) {
    $this->Auth->logout();
    $this->Session->setFlash('Sorry a security issue has been detected, please try again or contact us for support.', 'default', array(), 'bad');
    $this->redirect($this->Auth->redirect('/'));
 }

Now I will add that the call the Auth logout I added to this for extra added security, as the user maybe have logged in on a system and it just not be them that is trying to do things that they should not.

Hope that helps others out!

But this is only a fix for when CakePHP is in use. I would take it that other frameworks would have their options but if your only using basic HTML? or a CMS like Drupal again there might be in built security.

Many Thanks

Glenn.

Answer 3

The only safe and best solution that I found for this issue is to check on the server side whether the user_id sent with the form is the same user_id logged in with or not.

Although using jquery is good idea, but, did not work with my case as am using data: $(this).serialize(),

However here's my code on the server side (Note, am using Laravel 5.4, but am sure it won't matter with your case)

    if ($request->user_id != Auth::user()->id)
        return json_encode("F**K YOU ! Don't Play Smart -_- !");
    else
        raw_material_category::create($request->all());

Hope this helped ;)