• 0

HTML data-* security


Question

I have a question about the security of the data-* attributes in HTML.  Lets say we have some AJAX function that uses a product ID of an item.  I am trying to keep my javascript separate from my HTML.  So I would do something like this:

<a href="Product.aspx?id=7" class="select_product" data-productid="7">Product Name</a>

With jQuery, I would then do this:

$("a.select_product").click(function(e){
     e.preventDefault();

     var id = $(this).data("productid");

     //validate if ID is an integer
     if(isInt(id)){
          //call AJAX function
     }
});

So I validate the user input, but how can I validate that the specific product has that valid ID?  What is preventing somebody from using one of the many developer tools and changing data-productid to 8 or some other integer?

Link to comment
https://www.neowin.net/forum/topic/1218851-html-data-security/
Share on other sites

6 answers to this question

Recommended Posts

  • 0

Nothing is stopping them. What you could do is set the function onload and have the variable set "in memory" on the object. so that the click doesn't re-run and check the variable attribute again.

 

run this on ready.....

$("a.select_product").each(function(){
 
var id = $(this).data("productid");
 
$(this).click(function(e){     
e.preventDefault();
     
     //validate if ID is an 
integer     
if(isInt(id)){          //call 
AJAX function     }});
 
});

Would this work...?

  • 0

Nothing is preventing a user from modifying things. This is why you must always validate things as necessary server-side. Any and all client-side validation should be considered to be just a nice enhancement - it can take some of the strain off the server by catching some of the most common invalid inputs in form fields, such as mandatory forms fields being left blank, and it can also potentially enhance the usability of the page, the most obvious aspect being through cutting out unnecessary page reloading.

 

Regarding your example, where a user is clicking on a product, perhaps to purchase it, and you may be worried that they could change the ID of the product they purchase; you need to implement security checks in the server-side code to prevent them doing something they shouldn't be allowed to do. If they're only allowed to purchase products with certain ID's, check the supplied ID is on that list of allowed IDs for that user. Do not submit the price of the item they are purchasing to the server via AJAX, get it from your database, and get it based on the supplied ID of the item being purchase, don't make any assumptions if there are any to be made.

 

Be mindful to not try and take things unnecessarily too far though; if a user does have the ability to change the ID of the product they are purchasing, as long as they are allowed to purchase that item, and you retrieve the correct price for it, etc, it doesn't matter. You don't need to waste time trying to block the odd rare person from doing so.

 

With that said, you should perhaps consider implementing CSRF protection, which could significantly help bolster the security for things like this.

  • Like 1
  • 0
  On 21/06/2014 at 15:34, lunamonkey said:

Nothing is stopping them. What you could do is set the function onload and have the variable set "in memory" on the object. so that the click doesn't re-run and check the variable attribute again.

 

run this on ready.....

$("a.select_product").each(function(){
 
var id = $(this).data("productid");
 
$(this).click(function(e){     
e.preventDefault();
     
     //validate if ID is an 
integer     
if(isInt(id)){          //call 
AJAX function     }});
 
});

Would this work...?

 

Work to stop me from modifying the javascript/jQuery in the page and getting a different ID sent to the server via AJAX? No! I could always save an offline copy of the webpage to my computer, modify the code, open it in my browser and submit the form / AJAX request / whatever.

  • 0

There's no way to prevent someone from changing values clientside, you could set the id in a database server side before you sent the page and after the user clicks the href you can check that value with the server side value.

  • 0
  On 21/06/2014 at 15:35, theblazingangel said:

Nothing is preventing a user from modifying things. This is why you must always validate things as necessary server-side. Any and all client-side validation should be considered to be just a nice enhancement - it can take some of the strain off the server by catching some of the most common invalid inputs in form fields, such as mandatory forms fields being left blank, and it can also potentially enhance the usability of the page, the most obvious aspect being through cutting out unnecessary page reloading.

 

Regarding your example, where a user is clicking on a product, perhaps to purchase it, and you may be worried that they could change the ID of the product they purchase; you need to implement security checks in the server-side code to prevent them doing something they shouldn't be allowed to do. If they're only allowed to purchase products with certain ID's, check the supplied ID is on that list of allowed IDs for that user. Do not submit the price of the item they are purchasing to the server via AJAX, get it from your database, and get it based on the supplied ID of the item being purchase, don't make any assumptions if there are any to be made.

 

Be mindful to not try and take things unnecessarily too far though; if a user does have the ability to change the ID of the product they are purchasing, as long as they are allowed to purchase that item, and you retrieve the correct price for it, etc, it doesn't matter. You don't need to waste time trying to block the odd rare person from doing so.

 

With that said, you should perhaps consider implementing CSRF protection, which could significantly help bolster the security for things like this.

 

Yeah of course the AJAX function will just retrieve the price and other stats from the database.  The only thing it will send is the ID of the product, everything else will be retrieved from the server side (if it is in stock, price, ...).  I guess it really doesn't matter.  They can use developer tools to modify the href attribute too.

 

Thanks!

This topic is now closed to further replies.
  • Posts

    • Someone not paying the BBC license at home is a minor inconvenience to BBC. The real problem are these Ai companies STEALING data through scraping and then selling it under their product. Just pirating something for personal use is nowhere near as bad as stealing it to make corporate profits.
    • Vivaldi 7.4.3684.55 is out.
    • Nvidia and Foxconn planning to deploy humanoid robots within months by Paul Hill Never mind intellectual work, Foxconn and Nvidia are now in talks to deploy humanoid robots at Foxconn’s new Houston factory to carry out physical work, Reuters has reported. The two companies want to have the robots operational by the first quarter of 2026. This is a big development for both companies; it marks the first time Nvidia products will be made with robot assistance, and the first time Foxconn has used robots in an AI server factory on a production line. While the development is certainly interesting, and potentially bad for factory workers, we do not know many of the details such as which robots are being planned for use at the factory, what they’ll look like, or how many will be deployed. While Foxconn has trialed robots made by Chinese firm UBTech, the report states that Foxconn is developing its own robots with Nvidia. The news was told to Reuters via unnamed sources who are not allowed to discuss the matter, so they did so under anonymity. They said that the robots will start work early next year and will contribute to the production of Nvidia’s GB300 AI servers. Foxconn has been training the robots to pick and place objects, insert cables, and do assembly work, but it’s not clear exactly what their role will be on the factory floor and whether jobs will be impacted. One of the sources that spoke to Reuters said that the Houston factory was the best place to trial the robots because it is more spacious, giving robots more room to move about. Last month, a Foxconn subsidiary, which is in charge of the group’s AI server business, said there were two robots being developed which are expected to be showcased in November. One of the robots will have legs, while the other will use a wheeled autonomous mobile robot base. Predictably, the latter version will cost less money than the one with legs, but pricing is unknown at this point. Reuters noted that these two businesses are not the only ones working on robots. It also said that Mercedes-Benz and BMW have been testing robots on production lines and that Tesla is developing its own robots too. China is also getting heavily invested in the sector. Jensen Huang, head of Nvidia, believes that they will be in wide use in manufacturing facilities within five years.
    • That's great and all, but humans have a finite range of vision and a rather slow reaction time. I live in a rural area too and the roads are painted with dear carcasses most of the year. It's not because people choose to hit them. A human simply can't react quick enough when they come firing out of the woods perpendicular to your vision. Those issues can and are being solved with machine vision. The industrial world has been doing this for many years already and cars are finally jumping on the bandwagon using the same technology. It's a known fact that driving is the most dangerous thing (most) people do every day, and that's solely because humans are driving. It's one thing to use technology to be lazy, but it's another to use it to be safe and save lives.
    • Microsoft doesn't make AMD drivers. The "AMD" driver on Windows update comes from AMD, its AMD decision to put it there.
  • Recent Achievements

    • First Post
      emptyother earned a badge
      First Post
    • Week One Done
      Crunchy6 earned a badge
      Week One Done
    • One Month Later
      KynanSEIT earned a badge
      One Month Later
    • One Month Later
      gowtham07 earned a badge
      One Month Later
    • Collaborator
      lethalman went up a rank
      Collaborator
  • Popular Contributors

    1. 1
      +primortal
      673
    2. 2
      ATLien_0
      274
    3. 3
      Michael Scrip
      218
    4. 4
      +FloatingFatMan
      165
    5. 5
      Steven P.
      163
  • Tell a friend

    Love Neowin? Tell a friend!