13

I am developing a simple web apps that allowed user to key in information using a form when I discovered I could edit that form's input default value using Chrome -> Check Element and submit the page with a different hacked value.

Code:

<input id="radioOk_100237" name="radio_100237" type="radio" checked="" value="0">

As normal, I load the page then using Google Chrome Check Element, I targeted this checkbox and changed the value to "9" before submitting it, in my background page, it reads "9" instead of pre-set value of "0" from this input element.

If every user changed the value and submit, it will completely thrashed my DB. How is this possible and am I supposed to encrypt the page or do something prior to submitting? I am totally lost, btw I am using PHP.

maomaopop
  • 290
  • 1
  • 4
  • 19
  • 8
    This is why we are supposed to validate and sanitise our user input on the server before doing anything remotely database-related. – Ross May 29 '11 at 15:04
  • That's only one reason why you should always sanitize and validate user input on server-side. – Jürgen Thelen May 29 '11 at 15:04

4 Answers4

22

For typical users, you can just add the attribute readonly to the form field(s).

For more advanced users/hackers that try to manipulate your server, you need to validate every piece of data that is submitted to ensure that tampering is caught and rejected. There is no client-side technique for this that is tamper-proof.

AJ.
  • 27,586
  • 18
  • 84
  • 94
3

You could check for the correct kind of value in the server side. In fact you should check every data send from the client side to prevent an attack

kentverger
  • 475
  • 1
  • 5
  • 19
  • That sounds like a lot of work, I thought there were a simpler method. Thanks. – maomaopop May 29 '11 at 15:10
  • @mmk: well, Security Is Hard. Note that some PHP frameworks (e.g. Symfony) have ways of automating the most common validation (so that you don't need to write all of the validation code yourself). – Piskvor left the building May 29 '11 at 15:12
  • you cant trust in the client side validation, if a malicious user want to sent data to manipulate you server they can do it easy, i know thats sounds like a lot of work but there are frameworks that help you with this kinds of things, look for codeigniter.com – kentverger May 29 '11 at 15:16
  • @Piskvor, I am so naive about web security until 10 mins ago about my discovery that left me dumbfounded. I think I need to review my entire site again. :( – maomaopop May 29 '11 at 15:18
3

You need to be doing server-side validation, to make sure the values you get from your client app make sense. If you know that a value of "9" will "thrash your DB", don't accept values of 9 from the client.

Obligatory XKCD link: http://xkcd.com/327/

eaolson
  • 14,717
  • 7
  • 43
  • 58
2

You can't prevent users from modifying, adding or removing elements in the DOM. If you want that kind of control you should store the values of the elements you are outputting in an object and then compare what's coming in with the form post.

There are a million ways of doing this, if you want to ill post an example

Eric Herlitz
  • 25,354
  • 27
  • 113
  • 157