28
Mitiko
2y

You can't build a webapp and trust people won't mess with the browser

Comments
  • 0
    Weird thing is they actually used IE insted of Chrome or Edge
  • 8
    Eh? You can not disable the developer console on the browser. Even if you "disable" it in electron there are still ways to get that console there.
  • 0
    @fuckwit Didn't know that... this means the whole idea to make it web was doomed
  • 1
    Someone actually changed the contents of the web app using console? Is this a sanitization problem?
  • 16
    On the client's end, a web app is pretty much at the mercy of any browser. There's not much you could do there for security.

    What you should actually be worried about is the kind of data passed by the app to the server. Take good measures to ensure that it's exactly what the server expects by use of proper validations and filters.

    Client side validation is a fucking joke.
  • 3
    @Mitiko any scripts that run client side can be modified and manipulated. There is nothing you can do to stop that. What you can do is validate on the server side to make sure nothing malicious can come through or do anything.
  • 13
    Oh no, they changed the displayed markup on their end! Whatever shall I do? 🙄
  • 2
    @Root R.I.P webapp, gone too soo- oh it refreshed
  • 3
    Such 1337 AF h4x0rman :P
  • 3
    @bigus-dickus client side validation is there for UX experience and to save server load and bandwidth.
  • 5
    @Braed yeah but from a security standpoint, it's total shit. I've known developers who've only relied on client side validation alone.
  • 0
    @yatanvesh I did.
    @bigus-dickus Don't develop PWAs for when the whole system is given to the user to log in. Also client-side validation doesn't matter if someone just changes the text in h1
    @qwerty77asdf You can at least make it an app if you are going to give it to the user himself. See my response to bigus-dickus
    @DLMousey I didn't thought of that solution, but it is impossible if it's a form, you'd have to store the info in cookies. If you can't finish the operation the next user has access to the previous cookies. Still it's just a browser, you can exit it
  • 1
    @Mitiko I didn't propose a solution :P

    There's also not a problem, just a dipshit thinking they're Uber leet h4xx0r because they changed the markup on their local copy of a site.

    How it got from someone being a dipshit to being lectured on client side validation is beyond me
  • 0
    @DLMousey I am not trying to show off my h4x0r skills, I found a vulnerable system and I expected propositions of solutions. This rant was created to inform others not to do that. I am no hacker, I know nothing about security really.

    People didn't understand what the actual issue was here (a browser was given to a user) and except though it was a client validation problem.
  • 1
    @Mitiko i think we're all misunderstanding each other now :') so was it you or somebody else who fired up Dev tools and modified the site?

    Looks to me like someone wandered up to the machine and decided they wanted to try scaring everyone by firing up said Dev tools and demonstrating their leet h4xx0r skills. (I say that with absolute sarcasm)

    If it was you then I indirectly called you a dipshit and I apologise xD
  • 0
    @DLMousey It was me who gave no context, I'm sorry. This is a computer that's given to users to sign themselves in and save time. The problem is noone is watching the computer and the user is provided with a browser.
    I changed the text just for the image. I then refreshed the browser. My idea was to show how this is way easier and similiar to XSS attacks
Add Comment