Reputation: 170
How to make sure elements of HTML form have not been changed in purpose of hacking on client side before submit?
I want to know is there any way to prevent elements of HTML form from changing on client side before submit (the elements they have value, like hidden elements)?
Lets say I have hidden elements. I want to make sure their values haven't been changed by user in purpose.
Or what is HTML FORM Security Best Practice?
Upvotes: 4
Views: 1082
Answers (4)
Reputation: 4363
I suggest you try for yourself to see how trivial for a user to modify what is submitted by a form. The Tamper Data addon for firefox is exactly for this purpose.
Hidden fields are only visually hidden, they have no special protection from being modified before submission. Best practice is to validate everything that gets submitted - you can't asssume any client-side validation (eg Javscript, field lenghts) has been adhered to.
Upvotes: 0
Reputation: 346327
No, there is no way to prevent the client from sending you arbitrarily manipulated or malformed requests. That's not just true for web apps, it's true for any app where you don't physically control the client.
Best practice is to expect that and deal with it. Specific mechanisms to do that include:
- Keep data in a server-side session variable instead of using hidden fields
- Alternatively, use cryptographic hash sums (that include a salt and the client's IP address) to ensure data has not been tampered with
- Run all client-supplied data through functions that strip potential SQL injection or XSS attacks before using it
- Check user authorization on every page (so that people can't e.g. see/manipulate other user's data simply by changing the id parameter on the "edit profile" page)
Upvotes: 4
Reputation: 3856
Generally, you should make sure that your system is robust enough to handle any sort of malicious input. Assuming that you've taken care of that, if you still need to make sure the information hasn't been tampered with, then use an HMAC. Your web library or programming language should have some sort of routine for this built in.
Upvotes: 2
Reputation: 23024
you can't make sure that the HTML content didn't changed at client side, but you can check the passed values at Server side.
Upvotes: 0
Related Questions
- How to handle if a client change some data attributes from the client side?
- How to Completely Prevent Web Form Input Text Item change
- Stopping user to change values in html source before submitting form
- Prevent hidden input from being altered
- Form security to prevent value change via browser dev tool
- An easy way to prevent hack by changing DOM in browser?
- Modify html before submitting form: prevent this hack
- How to prevent hacking if users change html/javascript variables on client side?
- Documents/links on preventing HTML form fiddling?
- How can I ensure that changes to a form DOM are complete before POSTing?