0

I have a browser application, and I have a select box. This select box normally is available for interaction, but I need to hide it in case that it is locked down. For that, I have set up several security layers:

1: Javascript

// The underneathprevents right-click aswell as other inspect element interactions

// Wait for document to be ready before doing JS / Jquery magic
$(document).ready(function () {
    $(document).bind("contextmenu", function (e) {
        e.preventDefault();
    });

    $(document).keydown(function (event) {
        if (event.keyCode === 123) { // Prevent F12
            return false;
        } else if (event.ctrlKey && event.shiftKey && event.keyCode ===
            73) { // Prevent Ctrl+Shift+I
            return false;
        }
    });

    elem.hide(): // prevents the user to see it

2: The problem is:

When a user sets JS in chrome to be disabled, he can access inspect element and then remove the hidden/disabled attribute from a button. Is there any way this security issue can be tackled?

Rohit Sharma
  • 1,402
  • 9
  • 20
Justin Boxem
  • 153
  • 1
  • 3
  • 18
  • 7
    You don't control the browser. The user does. – John Conde Apr 25 '18 at 13:20
  • There is only one solution -- don't render the select box from the server at all. – 31piy Apr 25 '18 at 13:21
  • 2
    Client-side JavaScript is never useful as a "security layer". – Pointy Apr 25 '18 at 13:21
  • Remove it via Js – Gerardo BLANCO Apr 25 '18 at 13:21
  • I'm sorry but i think that you can't do that. Anything you do related to JS it will be shown up in resources of page and user can play around with it. You can confuse him a little bit with minifiing JS file. – Aleksandar Đokić Apr 25 '18 at 13:22
  • I understand, however the selectbox is nessecary for allowed interaction because it sends an ID to a php function to handle for a DB query. Even a back-end check would still get me to disabling a button, and again, that can be disabled by your tech-savvy-hacker type of user. – Justin Boxem Apr 25 '18 at 13:24
  • Click into the url entry bar and then hit F12, or your other shortcut keys, your security has been bypassed. Not to mention with jQuery a user could just do `jQuery.off('keydown contextmenu')`. – Patrick Evans Apr 25 '18 at 13:25
  • Mhm, that is the entire point of my question: An absolute safeguard to prevent the user to pry his/her access to my button and then send data. – Justin Boxem Apr 25 '18 at 13:26
  • Look into PHP `$_SESSION`s if you need something to exist for the DB but don't want to load it as an element in the HTML. JavaScript and HTML should never be considered for "security" -- if the problem must be secure, then you may need to rethink your original solution. – Doug Apr 25 '18 at 13:28
  • It's based on employee input. The employee selects a status with the dropdown. – Justin Boxem Apr 25 '18 at 13:37

0 Answers0