0

There are tasks that can only be done by JavaScript.

My problem is that after doing the task from JavaScript, the JavaScript code has to send the variables to a PHP page and, from my knowledge, it can only be done by post, get, and cookie which means that a user can possibly fake the variable and submit it.

I want to make sure that the variables the PHP page receives is from the JavaScript page. No luck so far. What is the solution?

Peter Mortensen
  • 28,342
  • 21
  • 95
  • 123
ap3
  • 31
  • 1
  • 2
  • What you describe is not possible. What you should probably do is to decide on the server what the valid values are, and then validate that the submitted values are in that list; if they're not, then reject it. – El Yobo Mar 01 '11 at 02:35
  • Or use something like a Captcha as well... – Jacob Mar 01 '11 at 02:42
  • No matter how much validation and obfuscation you do on the client-side process, at some point you'll have to accept that a dedicated enough malicious user can/will fake the data. The question is figuring out what "enough" is, after which the added complexity outweighs any gain in security can achieve. Spending $100 to safeguard $0.01 in assets isn't a good bargain. – Marc B Mar 01 '11 at 04:18

4 Answers4

1

You're right, this is certainly a problem.

Whitelisting/validating the input from the client could solve some of your problems, by making sure that the value is at least within a certain range of acceptable values.

What specifically is your use case that you're concerned about? Perhaps we could help you more if we knew more about your scenario.

Alex Mcp
  • 17,682
  • 12
  • 56
  • 87
  • how do you whitelist a javascript variable? wouldn't it be visible under any possible circumstance? – ap3 Mar 01 '11 at 03:39
  • a js file will be embedded in third party web pages which will retrieve variables from the host pages. these variables will be then sent to a php page which will save the variables to db. i came up with couple of ideas, but they are still exploitable if someone knows the internals. – ap3 Mar 01 '11 at 03:42
  • What whitelisting means is to only accept certain variables. If you're looking for a form that inputs 'fruit', than you would accept 'orange', 'banana', and 'apple', but discard ' – Alex Mcp Mar 01 '11 at 06:17
1

We could help you better if you would describe your specific scenario and what kind of data input you need to avoid.

In general you should always try to validate data on the client (JavaScript) just to provide a better feedback to the user (like highlighting a required form field left blank). Consider this to be just as a courtesy for the user.

Regardless of that you should never trust the data coming from the browser and do all the security relevant validation on the server and don't care what kind of client software has been used to collect that data (being that your JavaScript code or some hard coded GET/POST data).

Udo G
  • 11,022
  • 11
  • 47
  • 77
0

As the other answers have stated whitelisting is really the only thing you can do -- If someone is deliberately attacking your website there is no requirement that any content you get is valid.

No amount of client side validation or cookies works either as an attacker does not need to use a browser to do Bad Things.

olliej
  • 32,789
  • 8
  • 55
  • 54
0

You can generate an authenticity token when serving your page. Then check that the response contains the same authenticity token. A la rails.

Community
  • 1
  • 1
Carlos Blanco
  • 8,092
  • 15
  • 63
  • 97