• 0

HTML data-* security


Question

I have a question about the security of the data-* attributes in HTML.  Lets say we have some AJAX function that uses a product ID of an item.  I am trying to keep my javascript separate from my HTML.  So I would do something like this:

<a href="Product.aspx?id=7" class="select_product" data-productid="7">Product Name</a>

With jQuery, I would then do this:

$("a.select_product").click(function(e){
     e.preventDefault();

     var id = $(this).data("productid");

     //validate if ID is an integer
     if(isInt(id)){
          //call AJAX function
     }
});

So I validate the user input, but how can I validate that the specific product has that valid ID?  What is preventing somebody from using one of the many developer tools and changing data-productid to 8 or some other integer?

Link to comment
https://www.neowin.net/forum/topic/1218851-html-data-security/
Share on other sites

6 answers to this question

Recommended Posts

  • 0

Nothing is stopping them. What you could do is set the function onload and have the variable set "in memory" on the object. so that the click doesn't re-run and check the variable attribute again.

 

run this on ready.....

$("a.select_product").each(function(){
 
var id = $(this).data("productid");
 
$(this).click(function(e){     
e.preventDefault();
     
     //validate if ID is an 
integer     
if(isInt(id)){          //call 
AJAX function     }});
 
});

Would this work...?

  • 0

Nothing is preventing a user from modifying things. This is why you must always validate things as necessary server-side. Any and all client-side validation should be considered to be just a nice enhancement - it can take some of the strain off the server by catching some of the most common invalid inputs in form fields, such as mandatory forms fields being left blank, and it can also potentially enhance the usability of the page, the most obvious aspect being through cutting out unnecessary page reloading.

 

Regarding your example, where a user is clicking on a product, perhaps to purchase it, and you may be worried that they could change the ID of the product they purchase; you need to implement security checks in the server-side code to prevent them doing something they shouldn't be allowed to do. If they're only allowed to purchase products with certain ID's, check the supplied ID is on that list of allowed IDs for that user. Do not submit the price of the item they are purchasing to the server via AJAX, get it from your database, and get it based on the supplied ID of the item being purchase, don't make any assumptions if there are any to be made.

 

Be mindful to not try and take things unnecessarily too far though; if a user does have the ability to change the ID of the product they are purchasing, as long as they are allowed to purchase that item, and you retrieve the correct price for it, etc, it doesn't matter. You don't need to waste time trying to block the odd rare person from doing so.

 

With that said, you should perhaps consider implementing CSRF protection, which could significantly help bolster the security for things like this.

  • Like 1
  • 0
  On 21/06/2014 at 15:34, lunamonkey said:

Nothing is stopping them. What you could do is set the function onload and have the variable set "in memory" on the object. so that the click doesn't re-run and check the variable attribute again.

 

run this on ready.....

$("a.select_product").each(function(){
 
var id = $(this).data("productid");
 
$(this).click(function(e){     
e.preventDefault();
     
     //validate if ID is an 
integer     
if(isInt(id)){          //call 
AJAX function     }});
 
});

Would this work...?

 

Work to stop me from modifying the javascript/jQuery in the page and getting a different ID sent to the server via AJAX? No! I could always save an offline copy of the webpage to my computer, modify the code, open it in my browser and submit the form / AJAX request / whatever.

  • 0

There's no way to prevent someone from changing values clientside, you could set the id in a database server side before you sent the page and after the user clicks the href you can check that value with the server side value.

  • 0
  On 21/06/2014 at 15:35, theblazingangel said:

Nothing is preventing a user from modifying things. This is why you must always validate things as necessary server-side. Any and all client-side validation should be considered to be just a nice enhancement - it can take some of the strain off the server by catching some of the most common invalid inputs in form fields, such as mandatory forms fields being left blank, and it can also potentially enhance the usability of the page, the most obvious aspect being through cutting out unnecessary page reloading.

 

Regarding your example, where a user is clicking on a product, perhaps to purchase it, and you may be worried that they could change the ID of the product they purchase; you need to implement security checks in the server-side code to prevent them doing something they shouldn't be allowed to do. If they're only allowed to purchase products with certain ID's, check the supplied ID is on that list of allowed IDs for that user. Do not submit the price of the item they are purchasing to the server via AJAX, get it from your database, and get it based on the supplied ID of the item being purchase, don't make any assumptions if there are any to be made.

 

Be mindful to not try and take things unnecessarily too far though; if a user does have the ability to change the ID of the product they are purchasing, as long as they are allowed to purchase that item, and you retrieve the correct price for it, etc, it doesn't matter. You don't need to waste time trying to block the odd rare person from doing so.

 

With that said, you should perhaps consider implementing CSRF protection, which could significantly help bolster the security for things like this.

 

Yeah of course the AJAX function will just retrieve the price and other stats from the database.  The only thing it will send is the ID of the product, everything else will be retrieved from the server side (if it is in stock, price, ...).  I guess it really doesn't matter.  They can use developer tools to modify the href attribute too.

 

Thanks!

This topic is now closed to further replies.
  • Posts

    • I got too many apps I use actively. Theres been too often I completely blank on the name of the application and had to manually look through the list for it. Now I'm using Start11 and got my apps sorted in the Start menu by categories so that if I'm looking for Krita i can find it under "Art editors". If MS are going to change it, they should consider making automated categories. Seen some Linux distros do that. But if they do, theres probably gonna be a lot of wrongly categorized apps though, unfortunately.
    • LAV Filters 0.80.0 by Razvan Serea LAVFSplitter is a multi-format media splitter that uses libavformat (the demuxing library from ffmpeg) to demux all sorts of media files. LAV Splitter is a Souce Filter/Splitter required to demux the files into their separate elementary streams. LAV Audio and Video Decoder are powerful decoders with a focus on quality and performance, without any compromises. Supported Formats: MKV/WebM, AVI, MP4/MOV, MPEG-TS/PS (including basic EVO support), FLV, OGG, and many more that are supported by ffmpeg! LAV Filters are based on ffmpeg and libbluray and is aimed to offer a all-around solution to perfect playback of file-based Media as well as Blu-rays. LAV Filters 0.80.0 changelog: LAV Splitter NEW: Introduced the IURLSourceFilterLAV interface to allow opening URLs with custom user agent and referrer NEW: Added support for WebP images Changed: Increased the length of the advanced subtitle selection field, so its no longer cut off after 255 characters Changed: Improved buffering behavior on badly interleaved video files Fixed: Audio streams with an unknown/unsupported codec are no longer selected for playback, as long as others are present Fixed: Improved accuracy of reported FPS from AviSynth scripts LAV Video NEW: D3D11 support for HEVC 4:2:2 and 4:4:4 hardware decoding NEW: Dolby Vision extension metadata is exported for renderers to use Changed: Added additional media types to support more video streams Changed: Updated dav1d for significant AV1 decoding improvements Fixed: Improved handling of H.264 4:4:4 files encoded by certain versions of x264 Fixed: VP9 DXVA2/D3D11 decoding could result in artifacts on some clips Fixed: Decoding ProRes reports more accurate color details LAV Audio Changed: Added support for additional ADPCM audio codecs Download: LAV Filters 0.80.0 | 15.5 MB (Open Source) View: LAV Filters Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Haven't really used it much for years, not specific to Windows 11.. it's there but I mostly ignore it. I do install StartAllBack though bust mostly for the other bits that it brings. I prefer the "alt-space" type launchers (KRunner in Plasma, Flow in Windows or the like), a lot less clutter and more smarts like bookmark/history searches and other useful plugins.
    • Calibre 8.5 by Razvan Serea  Calibre is an open source e-book library management application that enables you to manage your e-book collection, convert e-books between different formats, synchronize with popular e-book reader devices, and read your e-books with the included viewer. It acts as an e-library and also allows for format conversion, news feeds to e-book conversion, as well as e-book reader sync features and an integrated e-book viewer. Calibre's features include: library management; format conversion (all major ebook formats); syncing to e-book reader devices; fetching news from the Web and converting it into ebook form; viewing many different e-book formats, giving you access to your book collection over the internet using just a browser. Calibre 8.5 changelog: New features The scrollbars used in calibre in light mode are now the same style as the ones in dark mode, this improves the contrast making the scrollbar more accessible Kobo driver: add an option to change the how the Kobo displays series numbers using a template. Manage data files dialog: Add a button to cancel remaining books when managing multiple books Kobo driver: add support for new Tolino firmware Bug fixes Prevent Windows 11 from starting a conhost.exe process for every calibre worker process E-book viewer: Improve highlight grouping with recurring chapter names When sending emails to amazon and pocketbook use random English text instead of UUIDs for subject/body. Improved news sources NYTimes WSJ Financial Times Eenadu Fokus.se Business standard Go comics NZ Herald TLS Magazine Download: Calibre 8.5 | Portable | ~200.0 MB (Open Source) Download: Calibre for MacOS | 316.0 MB Download: Calibre for Linux View: Calibre Home Page | Calibre Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

    • First Post
      emptyother earned a badge
      First Post
    • Week One Done
      Crunchy6 earned a badge
      Week One Done
    • One Month Later
      KynanSEIT earned a badge
      One Month Later
    • One Month Later
      gowtham07 earned a badge
      One Month Later
    • Collaborator
      lethalman went up a rank
      Collaborator
  • Popular Contributors

    1. 1
      +primortal
      674
    2. 2
      ATLien_0
      277
    3. 3
      Michael Scrip
      220
    4. 4
      +FloatingFatMan
      168
    5. 5
      Steven P.
      162
  • Tell a friend

    Love Neowin? Tell a friend!