php - Insecure form post value validating -
currently i'm using form post "comment" , save in database there 2 hidden fields, 1 check component comment made on , other hidden field comment number. found exploit in own form. if go developer console can change them either crosspost comments other form, or doesn't exist, doesn't matter, nor fact can change number comment is, because still works if there's comment same number.
<form action="/index.php?option=com_comments&view=comment&row=<?= $row ?>&table=<?= $table ?>" method="post"> <input type="hidden" name="row" value="<?= $row ?>" /> <input type="hidden" name="table" value="<?= $table ?>" /> <textarea type="text" name="text" class="control control--textarea control-group__control" placeholder="<?= translate('add new comment here ...') ?>" id="new-comment-text"></textarea> <br /> <input class="leader btn btn--theme control-row__trigger" type="submit" value="<?= translate('comment') ?>"/> but issue when go console , add , submit form can override value , post i'm else. not intended behaviour able post else. can't seem find way validate value of created_by before post being send, because if put in hidden input field can changed well. can make secure?
edit: posting done automatically , literally can't change because of framework we're using. , overrides proper default behaviour. better way phrase question be, can prevent user adding hidden input field post values? should post form post check everytime if post includes created_by , if change current profile_id?
malicious code changed via developer console
<form action="/index.php?option=com_comments&view=comment&row=2&table=blogs_blogs&created_by=6" method="post" class="ng-pristine ng-valid"> <input type="hidden" name="_token" value="a0b15d3664d7bc0e0e40675095fec014"> <input type="hidden" name="_token" value="a0b15d3664d7bc0e0e40675095fec014"> <input type="hidden" name="row" value="2"> <input type="hidden" name="created_by" value="6"> <input type="hidden" name="table" value="blogs_blogs"> <textarea type="text" name="text" class="control control--textarea control-group__control" placeholder="add new comment here ..." id="new-comment-text"></textarea> <br> <input class="leader btn btn--theme control-row__trigger" type="submit" value="comment"> </form>
rule #1 in web application security: never trust client
if user logged in, store user's id in session , use identifier store his/her records in database.
plus, should implement mechanism prevent csrf (cross site request forgery) in form. because can't see does.
Comments
Post a Comment