Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
@rusty-hacker well... your name answers it xD
-
@TerriToniAX Never make calculations on the client side. The Server's got to do the Calculation.
-
@T1l3 Well, for that you got to check out how the OSI Layer works, HTTPS which is SSL/TLS works at the Transport Layer. So, if the hidden field is present on the form, an attacker can still use a Local Proxy and make the changes to the values before it is sent to the next layer.
Check out YouTube videos on Tamperdata and Burp Suite. -
@nikchillz Thank you for taking your time to respond!
It makes sense that attacks happen at such layers - I wasn't aware of it.
What would stop someone from stealling submitted passwords, usernames and tokens in this way? -
@T1l3 in Chrome DevTools' console:
document.getElementById("hidden_field_id").value = 0 /* Or whatever you want to pay */
Now just click the submit button. -
@T1l3 the trick here is that the value is modified by the client itself, before even sending the form. In this scenario the "attacker" is you.
Moral of the story is, as a webdev, you can't never trust the values sent by the client. Always sanitize your data, always recalculate the totals (or even better: don't calculate totals in client side at all). -
@T1l3 well it is unlikely that an attacker could steal password using this method, as the tampering in this scenario is done on OSI Layer 7 which is the Application Layer. And as the application is with the user himself, so it gets lil tricky. But, an attacker could still do it, by the means of CSRF attacks or XSS attacks. But once the https comes in, then it becomes highly unlikely to intercept, the interception at this stage could be only possible if there exists a Zero Day bug that no one knows about, or if the attacker tricks in by using thing like SSL Strip.
-
@nikchillz I got that, but when first reading the rant I somehow got the impression we were talking about some server-side XML here. Of course, *hidden* field should have given out that this is a plain HTML page. Guess my brain is still on vacation... :P
-
@jordinebot Works in Firefox too. I sometimes use this to submit AX in country fields on web pages where my country is missing :D
-
@TerriToniAX yeah, of course, the browser is irrelevant here.
-
@jordinebot @movaid7 Happy that it was helpful to you. :)
A former colleague made an online shopping app. Boss wanted to promote him to Senior Developer when he still working with us.
14 days ago another colleague checked the code and told the boss that it's ready for production. No one asked me because everyone in the company thinks am the stupid developer of them all.
So what happened?
Well the total value of the cart was being over to payment gateway using a hidden field. Well you know the rest of the story.
The client has sued our company for this issue and boss came running to me and asked me to check if it was our fault or something else.
I checked and found the hidden value where the total value of cart was being stored and send over to payment gateway. The following is the conversation between me and the colleague who checked the code:
Me: So you checked the code and everything was okay?
Him: Yes, all good.
Me: Did you see this hidden field where the total value of cart is being passed to the payment gateway?
Him: Yes
Me: Why didn't you fix this?
Him: What's there to fix?
Me: Well someone can temper the value and let it pass to the payment gateway.
Him: No, they can't we are using https
Me: I' am done with you
He has Masters in software engineering and has few security certificates.
undefined
cart