• 0

HTML data-* security


Question

I have a question about the security of the data-* attributes in HTML.  Lets say we have some AJAX function that uses a product ID of an item.  I am trying to keep my javascript separate from my HTML.  So I would do something like this:

<a href="Product.aspx?id=7" class="select_product" data-productid="7">Product Name</a>

With jQuery, I would then do this:

$("a.select_product").click(function(e){
     e.preventDefault();

     var id = $(this).data("productid");

     //validate if ID is an integer
     if(isInt(id)){
          //call AJAX function
     }
});

So I validate the user input, but how can I validate that the specific product has that valid ID?  What is preventing somebody from using one of the many developer tools and changing data-productid to 8 or some other integer?

Link to comment
https://www.neowin.net/forum/topic/1218851-html-data-security/
Share on other sites

6 answers to this question

Recommended Posts

  • 0

Nothing is stopping them. What you could do is set the function onload and have the variable set "in memory" on the object. so that the click doesn't re-run and check the variable attribute again.

 

run this on ready.....

$("a.select_product").each(function(){
 
var id = $(this).data("productid");
 
$(this).click(function(e){     
e.preventDefault();
     
     //validate if ID is an 
integer     
if(isInt(id)){          //call 
AJAX function     }});
 
});

Would this work...?

  • 0

Nothing is preventing a user from modifying things. This is why you must always validate things as necessary server-side. Any and all client-side validation should be considered to be just a nice enhancement - it can take some of the strain off the server by catching some of the most common invalid inputs in form fields, such as mandatory forms fields being left blank, and it can also potentially enhance the usability of the page, the most obvious aspect being through cutting out unnecessary page reloading.

 

Regarding your example, where a user is clicking on a product, perhaps to purchase it, and you may be worried that they could change the ID of the product they purchase; you need to implement security checks in the server-side code to prevent them doing something they shouldn't be allowed to do. If they're only allowed to purchase products with certain ID's, check the supplied ID is on that list of allowed IDs for that user. Do not submit the price of the item they are purchasing to the server via AJAX, get it from your database, and get it based on the supplied ID of the item being purchase, don't make any assumptions if there are any to be made.

 

Be mindful to not try and take things unnecessarily too far though; if a user does have the ability to change the ID of the product they are purchasing, as long as they are allowed to purchase that item, and you retrieve the correct price for it, etc, it doesn't matter. You don't need to waste time trying to block the odd rare person from doing so.

 

With that said, you should perhaps consider implementing CSRF protection, which could significantly help bolster the security for things like this.

  • Like 1
  • 0
  On 21/06/2014 at 15:34, lunamonkey said:

Nothing is stopping them. What you could do is set the function onload and have the variable set "in memory" on the object. so that the click doesn't re-run and check the variable attribute again.

 

run this on ready.....

$("a.select_product").each(function(){
 
var id = $(this).data("productid");
 
$(this).click(function(e){     
e.preventDefault();
     
     //validate if ID is an 
integer     
if(isInt(id)){          //call 
AJAX function     }});
 
});

Would this work...?

 

Work to stop me from modifying the javascript/jQuery in the page and getting a different ID sent to the server via AJAX? No! I could always save an offline copy of the webpage to my computer, modify the code, open it in my browser and submit the form / AJAX request / whatever.

  • 0

There's no way to prevent someone from changing values clientside, you could set the id in a database server side before you sent the page and after the user clicks the href you can check that value with the server side value.

  • 0
  On 21/06/2014 at 15:35, theblazingangel said:

Nothing is preventing a user from modifying things. This is why you must always validate things as necessary server-side. Any and all client-side validation should be considered to be just a nice enhancement - it can take some of the strain off the server by catching some of the most common invalid inputs in form fields, such as mandatory forms fields being left blank, and it can also potentially enhance the usability of the page, the most obvious aspect being through cutting out unnecessary page reloading.

 

Regarding your example, where a user is clicking on a product, perhaps to purchase it, and you may be worried that they could change the ID of the product they purchase; you need to implement security checks in the server-side code to prevent them doing something they shouldn't be allowed to do. If they're only allowed to purchase products with certain ID's, check the supplied ID is on that list of allowed IDs for that user. Do not submit the price of the item they are purchasing to the server via AJAX, get it from your database, and get it based on the supplied ID of the item being purchase, don't make any assumptions if there are any to be made.

 

Be mindful to not try and take things unnecessarily too far though; if a user does have the ability to change the ID of the product they are purchasing, as long as they are allowed to purchase that item, and you retrieve the correct price for it, etc, it doesn't matter. You don't need to waste time trying to block the odd rare person from doing so.

 

With that said, you should perhaps consider implementing CSRF protection, which could significantly help bolster the security for things like this.

 

Yeah of course the AJAX function will just retrieve the price and other stats from the database.  The only thing it will send is the ID of the product, everything else will be retrieved from the server side (if it is in stock, price, ...).  I guess it really doesn't matter.  They can use developer tools to modify the href attribute too.

 

Thanks!

This topic is now closed to further replies.
  • Posts

    • Staged. It's a requirement that vehicles are strapped down to the bed. Usually wheel and/or chassis tie downs are used. That appears to just be on the winch.
    • I feel Apple's big problem is the lack of big data to train any AI LLM model. They have statistics on usage, but they don't have the written social media, messaging (they were early adopters of end-to-end encryption), they didn't scrape the Internet before the book companies and new sources were wise. So they have no choice but to use a third party LLM provider. Which ties them in knots with their own stance on security and privacy. In short, they are royally stuffed when it comes to developing an in-house AI.
    • Nothing is black and white. Democracy can suck, just as communism can. The risk is people who blindly think one is vastly superior over the other. Democracy needs a lot to make it work well, and there are many examples around the world of it. Good education, mandatory voting, accessible voting, and removing money from politics are just a few elements that need to be sorted for a functional democracy. The USA is the playbook on what not to do with democracy.
    • Weekend PC Game Deals: Showcase specials, Timeloop freebies, Resident Evils, and more by Pulasthi Ariyasinghe Weekend PC Game Deals is where the hottest gaming deals from all over the internet are gathered into one place every week for your consumption. So kick back, relax, and hold on to your wallets. The Epic Games Store brought the finale of its Mega Sale mystery giveaways this week, and that involved giving away the Bethesda and Arkane title Deathloop alongside the indie title Ogu and the Secret Forest. Deathloop comes in as a time-loop FPS adventure that puts you into the shoes of an assassin that must take down eight targets in a single day to escape the time travel shenanigans. In usual Arkane fashion, each target can be taken care of in multiple ways, and there are supernatural powers that give the player upgrades like teleportation and telekinesis. There is an invasion mechanic for taking down other players in their campaigns too. As for Ogu and the Secret Forest, it's an indie adventure featuring hand-drawn characters and intricate puzzles. The 2D game involves befriending characters across a fantasy land as baby Ogu, with plenty of exploration elements and boss battles available. The Deathloop and Ogu and the Secret Forest giveaways are available on the Epic Games Store until June 12. On the same day, the store will begin a giveaway for the humorous hospital simulation entry Two Point Hospital. Next, we look at a giveaway happening on the Steam store. Gearbox is only a few months away from releasing Borderlands 4, and to prepare some new fans, Borderlands 2 is free to claim on Steam right now. The four-player cooperative title offers a humorous campaign filled with wacky villains, a massive amount of weapons to loot, and skill trees that let you break the balance entirely. The Borderlands 2 giveaway on Steam is live right now. It's slated to come to an end on June 8 at 10am PT. Since it's a new month, the Humble Choice bundle went through its standard refresh earlier this week, releasing eight more games for subscription holders to add to their library. This time, you can grab Warhammer 40K: Boltgun, Legacy of Kain Soul Reaver 1 and 2 Remastered, Nobody Wants to Die, Dungeons of Hinterberg, Tchia, Sker Ritual, Biped, and Havendock. It will cost you $12 to get all eight games. As a month-long Humble Choice Bundle, though, you can ponder the contents until July 1, when a new selection of games will replace these ones. In the regular bundle space, the Humble Store is also celebrating showcase season with its IGN Live bundle. This carries Slay the Spire, Potion Craft: Alchemist Simulator, and Bloodroots in the starting tier for $10. Next, paying $16 gets you copies of Art of Rally, Old World, and Black Book. Lastly, paying the full $22 for the bundle will add on copies of The Medium and Wartales. The bundle has a two-week counter attached to it, so you have plenty of time to decide on it. Big Deals Alongside plenty of showcase-related sales, massive franchise discounts from 2K, Capcom, Techland, and more are currently available for you to check out. Here are our hand-picked big deals for this weekend: Lies of P – $29.99 on Steam Company of Heroes 3 – $29.99 on Steam Sekiro: Shadows Die Twice - GOTY Edition – $29.99 on Steam Dragon's Dogma 2 – $29.39 on Steam Satisfactory – $27.99 on Steam Diablo IV – $27.49 on Steam Another Crab's Treasure – $20.99 on Steam Resident Evil 4 – $19.99 on Steam Tetris Effect: Connected – $19.99 on Steam Dying Light 2 Stay Human: Reloaded Edition – $19.79 on Steam No Man's Sky – $19.62 on Gamebillet Chained Echoes – $18.74 on Steam Starship Troopers: Terran Command – $17.99 on Steam The Outlast Trials – $15.99 on Steam Tales from the Borderlands – $14.99 on Steam Phasmophobia – $14.99 on Steam Divinity: Original Sin 2 - Definitive Edition – $13.49 on Steam Gotham Knights – $11.99 on Steam Receiver 2 – $9.99 on Steam Resident Evil Village – $9.99 on Steam Goat Simulator 3 – $9.89 on Steam Borderlands Game of the Year Enhanced – $9.89 on Steam The Outer Worlds – $9.89 on Steam Dorfromantik – $9.79 on Steam Turnip Boy Robs a Bank – $9.74 on Steam Ni no Kuni II: Revenant Kingdom – $9.59 on Steam Batman: Arkham Collection – $8.99 on Steam Escape Academy – $8.00 on Steam Resident Evil 7 Biohazard – $7.99 on Steam Inscryption – $7.99 on Steam Devil May Cry 5 – $7.49 on Steam Watch_Dogs 2 – $7.49 on Steam Suicide Squad: Kill the Justice League – $6.99 on Steam Control Ultimate Edition – $5.99 on Steam Injustice 2 Legendary Edition – $5.99 on Steam Manifold Garden – $4.99 on Steam Cultist Simulator – $4.99 on Steam Watch_Dogs – $4.99 on Steam Dragon's Dogma: Dark Arisen – $4.79 on Steam ARK: Survival Evolved – $4.49 on Steam Batman: Arkham Origins – $3.99 on Steam Dying Light – $3.99 on Steam PAYDAY 2 – $3.29 on Steam WRC 9 FIA World Rally Championship – $2.99 on Steam Alan Wake – $2.99 on Steam Borderlands 3 – $2.99 on Steam Among Us – $2.99 on Steam Hitman: Absolution – $1.99 on Steam Borderlands 2 – $0 on Steam Ogu and the Secret Forest – $0 on Epic Store Deathloop – $0 on Epic Store DRM-free Specials The GOG store's latest DRM-free specials for this weekend are touting Atari classics, story-rich games, and much more. Here are some highlights: Atari 50: The Anniversary Celebration - $19.99 on GOG The Thaumaturge - $19.24 on GOG Turok 3: Shadow of Oblivion Remastered - $17.99 on GOG STAR WARS: Dark Forces Remaster - $16.49 on GOG INDIKA - $16.24 on GOG Blood West - $12.49 on GOG Shadowrun Trilogy - $10.07 on GOG Disco Elysium - The Final Cut - $9.99 on GOG Pathologic 2 - $6.99 on GOG Tacoma - $6.59 on GOG Little Nightmares - $4.99 on GOG RollerCoaster Tycoon 3: Complete Edition - $4.99 on GOG Gone Home - $4.94 on GOG Blade Runner - Enhanced Edition - $2.49 on GOG Blood: Fresh Supply - $2.49 on GOG SiN Gold - $1.99 on GOG The Wheel of Time - $1.49 on GOG RollerCoaster Tycoon Deluxe - $1.19 on GOG Pirates! Gold Plus - $1.19 on GOG Sid Meier's Colonization - $1.19 on GOG POSTAL 2 - $0.99 on GOG Keep in mind that availability and pricing for some deals could vary depending on the region. That's it for our pick of this weekend's PC game deals, and hopefully, some of you have enough self-restraint not to keep adding to your ever-growing backlogs. As always, there are an enormous number of other deals ready and waiting all over the interwebs, as well as on services you may already subscribe to if you comb through them, so keep your eyes open for those, and have a great weekend.
    • I too am left of centre in my politics, and not from the USA. But to understand what enables this sort of wealth means you have to understand the American mentality and generational politics, and what that means. My point was that its sort of ironic that he's giving away much if it to another country, because of the prevalence of individualism and tax system in the USA. People who subscribe to that are probably the ones shocked that he's giving away his wealth, as they're the ones who say "you can do whatever you want to with your money!"
  • Recent Achievements

    • First Post
      Mr bot earned a badge
      First Post
    • First Post
      Bkl211 earned a badge
      First Post
    • One Year In
      Mido gaber earned a badge
      One Year In
    • One Year In
      Vladimir Migunov earned a badge
      One Year In
    • Week One Done
      daelos earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      490
    2. 2
      snowy owl
      255
    3. 3
      +FloatingFatMan
      251
    4. 4
      ATLien_0
      223
    5. 5
      +Edouard
      187
  • Tell a friend

    Love Neowin? Tell a friend!