Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Out of curiosity, can you let us in on the big picture? how would you have solved it instead?
-
@Artemix Ah, now I get it! So this total amount was in the client html form? That's one way of doing it. A hilarious one :D
-
@TerriToniAX Never make calculations on the client side. The Server's got to do the Calculation.
-
@T1l3 Well, for that you got to check out how the OSI Layer works, HTTPS which is SSL/TLS works at the Transport Layer. So, if the hidden field is present on the form, an attacker can still use a Local Proxy and make the changes to the values before it is sent to the next layer.
Check out YouTube videos on Tamperdata and Burp Suite. -
T1l32127y@nikchillz Thank you for taking your time to respond!
It makes sense that attacks happen at such layers - I wasn't aware of it.
What would stop someone from stealling submitted passwords, usernames and tokens in this way? -
l0om17167y@T1l3 the trick here is that the value is modified by the client itself, before even sending the form. In this scenario the "attacker" is you.
Moral of the story is, as a webdev, you can't never trust the values sent by the client. Always sanitize your data, always recalculate the totals (or even better: don't calculate totals in client side at all). -
@T1l3 well it is unlikely that an attacker could steal password using this method, as the tampering in this scenario is done on OSI Layer 7 which is the Application Layer. And as the application is with the user himself, so it gets lil tricky. But, an attacker could still do it, by the means of CSRF attacks or XSS attacks. But once the https comes in, then it becomes highly unlikely to intercept, the interception at this stage could be only possible if there exists a Zero Day bug that no one knows about, or if the attacker tricks in by using thing like SSL Strip.
-
What I would want to know is, where can I shop I using this fabulous software? Can I buy anything cool?
-
bdocian47yWow, just great. Colleague from my company on holidays wanted to buy a train ticket, and price of it was passed in url :D
-
@nikchillz I got that, but when first reading the rant I somehow got the impression we were talking about some server-side XML here. Of course, *hidden* field should have given out that this is a plain HTML page. Guess my brain is still on vacation... :P
-
@jordinebot Works in Firefox too. I sometimes use this to submit AX in country fields on web pages where my country is missing :D
-
Isn't that what the old non hosted PayPal buttons did? Say the value is such and such client side?
-
@dev0urer
One apple a day keeps the doctor away.
One raw garlic a day keeps everybody away.
One rant a day keeps stupidity away. -
movaid727y@nikchillz thanks for explaining this stuff. As a total noob, this is really enlightening.
-
xsacha4317yI have seen many sites that do this. Absolutely ridiculous.
You can pay $0 and it adds the order, ships and everything. It must've in some payment template because one of the sites I found was a small business with a guy who knew nothing of websites. Told him about the issue and showed him how I can change it to $0 before I pay. Not sure if he ended up fixing it.
A former colleague made an online shopping app. Boss wanted to promote him to Senior Developer when he still working with us.
14 days ago another colleague checked the code and told the boss that it's ready for production. No one asked me because everyone in the company thinks am the stupid developer of them all.
So what happened?
Well the total value of the cart was being over to payment gateway using a hidden field. Well you know the rest of the story.
The client has sued our company for this issue and boss came running to me and asked me to check if it was our fault or something else.
I checked and found the hidden value where the total value of cart was being stored and send over to payment gateway. The following is the conversation between me and the colleague who checked the code:
Me: So you checked the code and everything was okay?
Him: Yes, all good.
Me: Did you see this hidden field where the total value of cart is being passed to the payment gateway?
Him: Yes
Me: Why didn't you fix this?
Him: What's there to fix?
Me: Well someone can temper the value and let it pass to the payment gateway.
Him: No, they can't we are using https
Me: I' am done with you
He has Masters in software engineering and has few security certificates.
undefined
cart