• 0

HTML data-* security


Question

I have a question about the security of the data-* attributes in HTML.  Lets say we have some AJAX function that uses a product ID of an item.  I am trying to keep my javascript separate from my HTML.  So I would do something like this:

<a href="Product.aspx?id=7" class="select_product" data-productid="7">Product Name</a>

With jQuery, I would then do this:

$("a.select_product").click(function(e){
     e.preventDefault();

     var id = $(this).data("productid");

     //validate if ID is an integer
     if(isInt(id)){
          //call AJAX function
     }
});

So I validate the user input, but how can I validate that the specific product has that valid ID?  What is preventing somebody from using one of the many developer tools and changing data-productid to 8 or some other integer?

Link to comment
https://www.neowin.net/forum/topic/1218851-html-data-security/
Share on other sites

6 answers to this question

Recommended Posts

  • 0

Nothing is stopping them. What you could do is set the function onload and have the variable set "in memory" on the object. so that the click doesn't re-run and check the variable attribute again.

 

run this on ready.....

$("a.select_product").each(function(){
 
var id = $(this).data("productid");
 
$(this).click(function(e){     
e.preventDefault();
     
     //validate if ID is an 
integer     
if(isInt(id)){          //call 
AJAX function     }});
 
});

Would this work...?

  • 0

Nothing is preventing a user from modifying things. This is why you must always validate things as necessary server-side. Any and all client-side validation should be considered to be just a nice enhancement - it can take some of the strain off the server by catching some of the most common invalid inputs in form fields, such as mandatory forms fields being left blank, and it can also potentially enhance the usability of the page, the most obvious aspect being through cutting out unnecessary page reloading.

 

Regarding your example, where a user is clicking on a product, perhaps to purchase it, and you may be worried that they could change the ID of the product they purchase; you need to implement security checks in the server-side code to prevent them doing something they shouldn't be allowed to do. If they're only allowed to purchase products with certain ID's, check the supplied ID is on that list of allowed IDs for that user. Do not submit the price of the item they are purchasing to the server via AJAX, get it from your database, and get it based on the supplied ID of the item being purchase, don't make any assumptions if there are any to be made.

 

Be mindful to not try and take things unnecessarily too far though; if a user does have the ability to change the ID of the product they are purchasing, as long as they are allowed to purchase that item, and you retrieve the correct price for it, etc, it doesn't matter. You don't need to waste time trying to block the odd rare person from doing so.

 

With that said, you should perhaps consider implementing CSRF protection, which could significantly help bolster the security for things like this.

  • Like 1
  • 0
  On 21/06/2014 at 15:34, lunamonkey said:

Nothing is stopping them. What you could do is set the function onload and have the variable set "in memory" on the object. so that the click doesn't re-run and check the variable attribute again.

 

run this on ready.....

$("a.select_product").each(function(){
 
var id = $(this).data("productid");
 
$(this).click(function(e){     
e.preventDefault();
     
     //validate if ID is an 
integer     
if(isInt(id)){          //call 
AJAX function     }});
 
});

Would this work...?

 

Work to stop me from modifying the javascript/jQuery in the page and getting a different ID sent to the server via AJAX? No! I could always save an offline copy of the webpage to my computer, modify the code, open it in my browser and submit the form / AJAX request / whatever.

  • 0

There's no way to prevent someone from changing values clientside, you could set the id in a database server side before you sent the page and after the user clicks the href you can check that value with the server side value.

  • 0
  On 21/06/2014 at 15:35, theblazingangel said:

Nothing is preventing a user from modifying things. This is why you must always validate things as necessary server-side. Any and all client-side validation should be considered to be just a nice enhancement - it can take some of the strain off the server by catching some of the most common invalid inputs in form fields, such as mandatory forms fields being left blank, and it can also potentially enhance the usability of the page, the most obvious aspect being through cutting out unnecessary page reloading.

 

Regarding your example, where a user is clicking on a product, perhaps to purchase it, and you may be worried that they could change the ID of the product they purchase; you need to implement security checks in the server-side code to prevent them doing something they shouldn't be allowed to do. If they're only allowed to purchase products with certain ID's, check the supplied ID is on that list of allowed IDs for that user. Do not submit the price of the item they are purchasing to the server via AJAX, get it from your database, and get it based on the supplied ID of the item being purchase, don't make any assumptions if there are any to be made.

 

Be mindful to not try and take things unnecessarily too far though; if a user does have the ability to change the ID of the product they are purchasing, as long as they are allowed to purchase that item, and you retrieve the correct price for it, etc, it doesn't matter. You don't need to waste time trying to block the odd rare person from doing so.

 

With that said, you should perhaps consider implementing CSRF protection, which could significantly help bolster the security for things like this.

 

Yeah of course the AJAX function will just retrieve the price and other stats from the database.  The only thing it will send is the ID of the product, everything else will be retrieved from the server side (if it is in stock, price, ...).  I guess it really doesn't matter.  They can use developer tools to modify the href attribute too.

 

Thanks!

This topic is now closed to further replies.
  • Posts

    • Display Driver Uninstaller (DDU) 18.1.1.4 by Razvan Serea Display Driver Uninstaller (DDU) is a utility for completely removing AMD/NVIDIA/INTEL graphics drivers and related packages from your system, attempting to eliminate all leftovers (including registry entries, folders and files, driver store). Though AMD/NVIDIA/INTEL drivers can usually be removed via the Windows Control Panel, this uninstaller tool was created for situations where standard uninstall fails, or when you need to fully remove NVIDIA or ATI graphics card drivers. After using this driver cleaner, your system will behave as though it’s the first time you’re installing a new driver—similar to a fresh Windows installation. As with all such tools, we recommend creating a restore point beforehand, allowing you to undo changes if issues arise. If you're having trouble installing an older or newer driver, try it—there are reports that it resolves such problems. Recommended usage: The tool can be used in Normal mode but for absolute stability when using DDU, Safemode is always the best. Make a backup or a system restore (but it should normally be pretty safe). It is best to exclude the DDU folder completely from any security software to avoid issues. You do NOT need to uninstall the driver prior using DDU. Requirements: .NET Framework 4.8 Compatible with Windows 7, 8, 8.1, 10, and 11 (32-bit or 64-bit) Note: Using on Insider Preview builds is at your own risk. Display Driver Uninstaller (DDU) 18.1.1.4 changelog: Intel: Added NPU presence detection before removing shared DLL files (these were previously left to prevent potential NPU-related issues). Intel: Added optional NPU removal Improved "Extension" driver removal process. Updated several translations. Download: Display Driver Uninstaller 18.1.1.4 | 1.7 MB (Freeware) Download: DDU Portable | 1.2 MB Links: Display Driver Uninstaller Home Page | Screenshot | Forum Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • That is what I also think to a point. How is 26 necessarily different than just another iteration like 18, 19, 20, etc? At first I think it would be better for Apple to use 2026, 2027, and then maybe truncate it to just 28, 29, and so on. Granted, I also think it makes more sense to use the year when it was released (2025 or 25), not 26/2026. Maybe Apple's thinking is as stated by Aditya that the bulk of a release being the current release is during the following year (2026, for example) after it is released (2025, for example). There are other examples of these sorts of things. In the NBA, the season has always started in the Fall and ends in the Spring. When the season ends is how the season is named. So, this is the 2025 NBA season and the Pacers and Thunder are playing to be the 2025 NBA Champions. The NFL starts in the Fall and the end of the season is always in the beginning of the next year as well. The Super Bowl was played on February 9, 2025, but that was the end of the 2024 NFL season. So, contrary to the NBA, the NFL names it season based on when it starts, not when it ends. Maybe that is because more of the NFL season is played at the end of the year (2024 in the most recent example) whereas most of the NBA season is played in the first half of the following year (2025 in the current example).
    • Years ago I was at COMDEX in Las Vegas and a pit boss told me all the casino hotel staff said of the geeks "They bring one clean shirt and a $10 bill and they don't change either one all week..."
    • I really hate Capcom for cutting all that content on RE3 Remake. It could have been a masterpiece like 2 Remake was.
    • Yes. Wouldn't want to confuse anyone from 1926 or 3026 who might look at it.
  • Recent Achievements

    • Week One Done
      abortretryfail earned a badge
      Week One Done
    • First Post
      Mr bot earned a badge
      First Post
    • First Post
      Bkl211 earned a badge
      First Post
    • One Year In
      Mido gaber earned a badge
      One Year In
    • One Year In
      Vladimir Migunov earned a badge
      One Year In
  • Popular Contributors

    1. 1
      +primortal
      495
    2. 2
      snowy owl
      252
    3. 3
      +FloatingFatMan
      251
    4. 4
      ATLien_0
      228
    5. 5
      +Edouard
      191
  • Tell a friend

    Love Neowin? Tell a friend!