0

When we are trying to implement an 'Event Tracking' mechanism (recording/logging clicks, scrolls and other actions on the UI of the web application) on our web application.

Should 'Event Tracking' be tied to a session? I noticed that a lot of Event Tracking endpoints allow their users to intercept the request and freely change the content (userId, eventTime and etc.). Being able to freely change the content would allow attackers to alter the Event Tracking data, which would produce inaccurate data for the internal team right?

Should developers perform a check whether the userID is the same as the user currently issuing the request first?

Emanuel Beni
  • 21
  • 4
  • I think any answer would depend on what you mean by "'Event Tracking'" – schroeder Sep 10 '21 at 07:30
  • Hi, what I mean by 'Event Tracking' is recording/logging clicks, scrolls and other actions on the UI of the web application. I guess this is mainly for UI/UX research and maybe security? I don't really have experience on this. @schroeder – Emanuel Beni Sep 10 '21 at 08:44
  • I added a link to the relevant OWASP section you mention, and that seems to answer you whether 'Event Tracking' might fall under a *security* weakness. Your case seems far more like a UI/UX research application. So, in the end, I think this is more of a programming question than a security question "how can I make sure data collected from the client is correctly attributed to the user?" – schroeder Sep 10 '21 at 08:57

0 Answers0