Can they hack my MVC program like I hack locally?

Question

User283528319 posted

Hi all,

you know you can change any <g class="gr_ gr_35 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="35" data-gr-id="35">html</g> element's properties in <g class="gr_ gr_123 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" id="123" data-gr-id="123">development</g> mode of a browser (chrome)

I have a SPA with jquery and I save/send to server <g class="gr_ gr_180 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" id="180" data-gr-id="180">html</g> elements using jquery post function

however today I changed an element's property via <g class="gr_ gr_260 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="260" data-gr-id="260">html</g> editor in chrome and saved it. <g class="gr_ gr_330 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="330" data-gr-id="330">Valaaa</g> it is saved as is.

It is a huge security back door for my program.

Could you help me to find the <g class="gr_ gr_419 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation multiReplace" id="419" data-gr-id="419">answer.</g>

This Is possible when the machine is server and client same time. However, can it be possible when the client is remote?

thanks

Answer 1

User-474980206 posted

yes.

your websites get/post api is a public api that anyone can call without using your SPA (or web page) or using after editing the running code with the browser tools. You can not trust the source of requests to your server. the server code should validate the post data data validation and handle security. 

if your are taking about chrome's ability to edit and save source files, then, no this can not be done remotely, because it requires access to the file system.

 

Answer 2

User475983607 posted

fatihbarut

however today I changed an element's property via html editor in chrome and saved it. Valaaa it is saved as is.

It is a huge security back door for my program.

Data entry is not secure in any application. It's your responsibility to write secure code.  Often that means validating inputs and verifying data does not leak between accounts.

Can explain the security vulnerability and provide a code sample?  That will help us to help you.

Answer 3

User283528319 posted

yes.

your websites get/post <g class="gr_ gr_22 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="22" data-gr-id="22">api</g> is a public <g class="gr_ gr_24 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="24" data-gr-id="24">api</g> that anyone can call without using your SPA (or web page) or using after editing the running code with the browser tools. You can not trust the source of requests to your server. the server code should validate the post <g class="gr_ gr_17 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling only-del replaceWithoutSep" id="17" data-gr-id="17">data data</g> validation and handle security. 

if <g class="gr_ gr_15 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" id="15" data-gr-id="15">your</g> are taking about <g class="gr_ gr_20 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="20" data-gr-id="20">chrome's</g> ability to edit and save source files, then, no this can not be done remotely, because it requires access to the file system.

 

could you open it <g class="gr_ gr_4 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" id="4" data-gr-id="4">little</g> bit more

validation, authorisation and authentication wise.

Answer 4

User-474980206 posted

just assume the user can call you site actions/webapi in any order with any data they want. if the site exposes primary keys, then the user may guess or keys (say they are ints, or displayed in a list on another page), and update a different record. the server server should check before updating, that the user is allowed to update the record. it should also check that only values that the is user is allowed to change are saved.

Answer 5

User475983607 posted

fatihbarut

could you open it little bit more

validation, authorisation and authentication wise.

There are several common situations.  One is over posting where the controller input has more properties than what the user can update.  In that situation you want to use a ViewModel that has only the required properties.

The same kind of thing happens when hidden fields are used to manage state.  A savvy user can update the hidden fields in the browser.  If having hidden fields causes a security vulnerability then do not use hidden fields.  Usually, the solution is query the database from the server or using server side state management. 

I'm sure someone can recommend an approach if you provide source code that illustrates the security vulnerability.

Answer 6

User283528319 posted

What if I get and post the data via jquery $.get and post functions over controllers. In this <g class="gr_ gr_108 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation only-ins replaceWithoutSep" id="108" data-gr-id="108">case</g> <g class="gr_ gr_107 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" id="107" data-gr-id="107">client</g> never see which <g class="gr_ gr_102 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="102" data-gr-id="102">url</g> I built?

Answer 7

User475983607 posted

What if I get and post the data via jquery $.get and post functions over controllers. In this case client never see which url I built?

The URL can be found in the HTML loaded in the browser.

Answer 8

User283528319 posted

The URL can be found in the HTML loaded in the browser.

It <g class="gr_ gr_11 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="11" data-gr-id="11">doesnt</g> provide an <g class="gr_ gr_42 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="42" data-gr-id="42">html</g> it just gets or posts data to a <g class="gr_ gr_127 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="127" data-gr-id="127">mysql</g> database.

Answer 9

User475983607 posted

It doesnt provide an html it just gets or posts data to a mysql database.

Simply right click the browser window and select "View Source".  JavaScript application are visible in plain text within the browser.  There are tools to minify and obfuscate JavaScript.  This makes it harder for a human to read the code if you want to go in that direction.

As stated above consider anything returned to the browser as insecure and under the client's control.

Answer 10

User-474980206 posted
Also browser network tools will show the payloads in nice readable formats.