Many people are aware that people can edit the html source code of a website using the inspect element function available on most browsers. This is pretty harmless since the edits just take place on the local machine, and not on the actual website. I’m worried about one security issue it might have though and I’m wondering if anyone knows the answer to it.
How might this function effect forms that are submitted. Fields can often be made hidden and store a value that is necessary to run a certain query. I’m wondering if people changed that value on the hidden field could that compromise the security of the site? Is there any security threat associated with this? I have a way to easily defend it, but I was just wondering if it was a flaw worth defending against.
Thanks for the help.
Yes, yes it is a huge security issue.
Never trust data provided by the user, which means, by proxy, by the web page submission.
This can of course have negative effect.
You have to make sure that important values from your form weren’t changed by your visitor.
For example in a select input, make sure that the selected value is one you have put in the code yourself server-side.
Yes, this is definitely something not only worth considering, but mandatory.
This is why client side validation is not enough, and you need server side validation for everything.
There are many things to say here, but here are some of the checks you should consider:
- length of text inputs (where they apply, and they should apply in most cases).
- characters allowed. I doubt there are many names that have numbers in them.
- type of data (if you’re expecting a number, make sure it’s a number).
- make sure the values received from selects and checkboxes are actually in the list of expected data
- specific formats (for example email addresses).
- check the file extension, MIME type and size for uploaded files
And more, this is all I can think of at the moment.