• 0

HTML data-* security


Question

I have a question about the security of the data-* attributes in HTML.  Lets say we have some AJAX function that uses a product ID of an item.  I am trying to keep my javascript separate from my HTML.  So I would do something like this:

<a href="Product.aspx?id=7" class="select_product" data-productid="7">Product Name</a>

With jQuery, I would then do this:

$("a.select_product").click(function(e){
     e.preventDefault();

     var id = $(this).data("productid");

     //validate if ID is an integer
     if(isInt(id)){
          //call AJAX function
     }
});

So I validate the user input, but how can I validate that the specific product has that valid ID?  What is preventing somebody from using one of the many developer tools and changing data-productid to 8 or some other integer?

Link to comment
https://www.neowin.net/forum/topic/1218851-html-data-security/
Share on other sites

6 answers to this question

Recommended Posts

  • 0

Nothing is stopping them. What you could do is set the function onload and have the variable set "in memory" on the object. so that the click doesn't re-run and check the variable attribute again.

 

run this on ready.....

$("a.select_product").each(function(){
 
var id = $(this).data("productid");
 
$(this).click(function(e){     
e.preventDefault();
     
     //validate if ID is an 
integer     
if(isInt(id)){          //call 
AJAX function     }});
 
});

Would this work...?

  • 0

Nothing is preventing a user from modifying things. This is why you must always validate things as necessary server-side. Any and all client-side validation should be considered to be just a nice enhancement - it can take some of the strain off the server by catching some of the most common invalid inputs in form fields, such as mandatory forms fields being left blank, and it can also potentially enhance the usability of the page, the most obvious aspect being through cutting out unnecessary page reloading.

 

Regarding your example, where a user is clicking on a product, perhaps to purchase it, and you may be worried that they could change the ID of the product they purchase; you need to implement security checks in the server-side code to prevent them doing something they shouldn't be allowed to do. If they're only allowed to purchase products with certain ID's, check the supplied ID is on that list of allowed IDs for that user. Do not submit the price of the item they are purchasing to the server via AJAX, get it from your database, and get it based on the supplied ID of the item being purchase, don't make any assumptions if there are any to be made.

 

Be mindful to not try and take things unnecessarily too far though; if a user does have the ability to change the ID of the product they are purchasing, as long as they are allowed to purchase that item, and you retrieve the correct price for it, etc, it doesn't matter. You don't need to waste time trying to block the odd rare person from doing so.

 

With that said, you should perhaps consider implementing CSRF protection, which could significantly help bolster the security for things like this.

  • Like 1
  • 0
  On 21/06/2014 at 15:34, lunamonkey said:

Nothing is stopping them. What you could do is set the function onload and have the variable set "in memory" on the object. so that the click doesn't re-run and check the variable attribute again.

 

run this on ready.....

$("a.select_product").each(function(){
 
var id = $(this).data("productid");
 
$(this).click(function(e){     
e.preventDefault();
     
     //validate if ID is an 
integer     
if(isInt(id)){          //call 
AJAX function     }});
 
});

Would this work...?

 

Work to stop me from modifying the javascript/jQuery in the page and getting a different ID sent to the server via AJAX? No! I could always save an offline copy of the webpage to my computer, modify the code, open it in my browser and submit the form / AJAX request / whatever.

  • 0

There's no way to prevent someone from changing values clientside, you could set the id in a database server side before you sent the page and after the user clicks the href you can check that value with the server side value.

  • 0
  On 21/06/2014 at 15:35, theblazingangel said:

Nothing is preventing a user from modifying things. This is why you must always validate things as necessary server-side. Any and all client-side validation should be considered to be just a nice enhancement - it can take some of the strain off the server by catching some of the most common invalid inputs in form fields, such as mandatory forms fields being left blank, and it can also potentially enhance the usability of the page, the most obvious aspect being through cutting out unnecessary page reloading.

 

Regarding your example, where a user is clicking on a product, perhaps to purchase it, and you may be worried that they could change the ID of the product they purchase; you need to implement security checks in the server-side code to prevent them doing something they shouldn't be allowed to do. If they're only allowed to purchase products with certain ID's, check the supplied ID is on that list of allowed IDs for that user. Do not submit the price of the item they are purchasing to the server via AJAX, get it from your database, and get it based on the supplied ID of the item being purchase, don't make any assumptions if there are any to be made.

 

Be mindful to not try and take things unnecessarily too far though; if a user does have the ability to change the ID of the product they are purchasing, as long as they are allowed to purchase that item, and you retrieve the correct price for it, etc, it doesn't matter. You don't need to waste time trying to block the odd rare person from doing so.

 

With that said, you should perhaps consider implementing CSRF protection, which could significantly help bolster the security for things like this.

 

Yeah of course the AJAX function will just retrieve the price and other stats from the database.  The only thing it will send is the ID of the product, everything else will be retrieved from the server side (if it is in stock, price, ...).  I guess it really doesn't matter.  They can use developer tools to modify the href attribute too.

 

Thanks!

This topic is now closed to further replies.
  • Posts

    • Now I may not quite understand this, so someone tell me if I'm off the mark here, but does this mean they'll be potentially removing drivers for now unsupported systems, such as old processors and chipsets? In the past 15 years, Windows has been amazing at just installing on any device, and often having zero, or just a few unessential drivers missing on first install. It would be a shame for that experience to go, though I understand the reasoning, or at least their financial reasoning for it!
    • Microsoft is removing legacy drivers from Windows Update by Usama Jawad Last month, we learned that Microsoft is making major changes to the development of hardware drivers in Windows. This included the retirement of Windows Metadata and Internet Services (WMIS), along with the process for pre-production driver signing. Now, the Redmond tech firm has informed partners that it will be getting rid of old drivers in Windows Update. In what is being described as a "strategic" move to improve the security posture and compatibility of Windows, Microsoft has announced that it will be performing a cleanup of legacy drivers that are still being delivered through Windows Update. Right now, the first phase only targets drivers that already have modern replacements present in Windows Update. As a part of its cleanup process, Microsoft will expire legacy drivers so that it is not offered to any system. This expiration involves removing audience segments in the Hardware Development Center. Partners can still republish a driver that was deemed as legacy by Microsoft, but the firm may require a justification. Once the Redmond tech giant completes its first phase of this cleanup, it will give partners a six-month grace period to share any concerns. However, if no concerns are brought forward, the drivers will be permanently eradicated from Windows Update. Microsoft has emphasized that this will be a regular activity moving forward and while the current phase only targets legacy drivers with newer replacements, the next phases may expand the scope of this cleanup and remove other drivers too. That said, each time the company takes a step in this direction, it will inform partners so that there is transparency between both parties. Microsoft believes that this move will help improve the security posture of Windows and ensure that an optimized set of drivers is offered to end-users. The firm has asked partners to review their drivers in Hardware Program so that there are no unexpected surprises during this cleanup process.
    • No idea, but I had a client the other week that lost the entire drive to it. I suggested relying on the Samsung T7's instead. The Sandisk Extreme's had reliability issues too.
    • I use it every day so personally yes I need it, or rather I want it. I use OpenShell though, not the garbage modern Start Menu. I just counted and at the moment I have a total of 92 program shortcuts organized into six folders almost exactly the way I did back in Windows 95. I can get to any program I want to run very quickly. I never use Search to find or run programs.
    • I do miss the Apps view from Windows 8.1 Update.
  • Recent Achievements

    • One Month Later
      KynanSEIT earned a badge
      One Month Later
    • One Month Later
      gowtham07 earned a badge
      One Month Later
    • Collaborator
      lethalman went up a rank
      Collaborator
    • Week One Done
      Wayne Robinson earned a badge
      Week One Done
    • One Month Later
      Karan Khanna earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      683
    2. 2
      ATLien_0
      274
    3. 3
      Michael Scrip
      220
    4. 4
      +FloatingFatMan
      171
    5. 5
      Steven P.
      160
  • Tell a friend

    Love Neowin? Tell a friend!