Disabled button modified using firebug

Asked

Viewed 482 times

4

Imagine that in an HTML I have a disabled button. I can very well use Firebug to enable this button and so do the commit.

The question is: is there any way I can disable this button and not allow this commit even when I modify the property disabled from the button in Firebug?

I always have to do a treatment on the server, thinking that this possibility might happen?

  • because you do not remove the html button?

  • @Maiconcarraro even hiding the button the malicious user can submit the form by JS.

  • @Philippegioseffi did not say hide, but remove, because he is sending an HTML to the client with the button?

  • @Maiconcarraro hide or remove the button is the least of the problems, because hidden or removed from the screen the form can be sent via JS by a malicious user.

  • @Philippegioseffi but if removed as the guy knows he has to send something?

  • @Maiconcarraro to have some malicious interaction only by submitting the form to the server.

Show 1 more comment

4 answers

4

Answer:

You can’t do anything about HTML, against someone who opens the firebug and comes out modifying things.

Explanation:

You can only have security if you validate on the Server, because any method you use with or the same method the "firebug guy" can also do. IE, there is no way, have to validate in Server, then you will have security.

However, you should do the validation in the client (with javascript) and also in the Server, it is always safer this way.

Tip: You can use "trickery" to make it difficult on the client side, for example:

Let’s say every field has a certain "attribute required for submission" that would be something you invented. Then you would validate each field with its respective "attribute required for submission" for example:

<input type=text data-required="HFG2#4DF@">

This would be a valid field for having the one data-required, then we would have a disabled field:

<input type=text disabled>

Even if the firebug user goes to it and removes the disabled attribute, it will not work because, you check if all fields have this data-required using:

if ($(seuInput).attr('data-required') == "HFG2#4DF@")
//submete o formulário
else
//não submete o formulário.

Then it would be impossible to send such a field if you do not put the invented attribute.

Note: this HFG2#4DF@ is just one example that you can make life difficult for someone by having them dig through and understand their javascript codes in order to submit this field.

There are also several ways to do these things, for example you can put a different ID for each field and use one data-required different for each one that could be the MD5 Code of the ID of each one, or else a Base64 of the ID of each one.

But of course, this will affect performance a bit and is only used if you really want to make it difficult to submit the form at this point, it’s not that it is recommended to do this, it’s just optional.

3

Yes, the ideal is that the validation is done both in client-side and server-side. You can try to block the button from being enabled by a javascript code, but by Firebug itself you can disable the javascript execution.

In fact, ideally all validation should happen client-side and mainly server-side.

3


The question of security guard against actions and manipulation of accidental or malicious data in web applications goes far beyond simply inhibiting buttons or fields.

The first reference I read about security when I was learning how to program was on Manual for PHP. It is a good reference even for those who develop in other languages. Consider the following excerpt from the manual:

You should always carefully examine your code to make sure that any variables being sent from the web browser are being checked correctly, and asks himself the following questions:

  • Your script will only affect the desired files?
  • Unusual or unwanted data may be used?
  • This script can be used in unintentional ways?
  • It can be used in conjunction with other scripts in a negative way?
  • Transactions will be properly recorded?

Finally, all data received in your script from external sources should be considered potentially hazardous and appropriately validated.

That includes:

  • Headlines (headers)
  • URL variables (parameters GET)
  • Content of form (parameters POST)
  • Ajax content (Json, XML)
  • Cookies
  • Archives (uploads)
  • Images, HTML and other resources consumed from external Urls.

In addition to value validation, something developers often forget is to check that the user is who he says he is (authentication) and can perform a certain action (authorization).

It is because of this that in many systems it is possible to usurp the right of administrator by enabling buttons via firebug, developer tool or having knowledge of a "secret URL"!

2

Yes, you always have to do the treatment on the server.

In fact, it’s not even necessary browser (browser) to make potentially hostile HTTP requests to your server. A malicious programmer (hacker) can use programming tools to dialogue directly with your server using HTTP or other protocols.

There is no, but even if there was a way to disable the button and not allow this commit even when modifying the property disabled button on Firebug... still the vulnerability would still exist. Understand?

Browser other questions tagged

You are not signed in. Login or sign up in order to post.