8  1983 
=?Utf-8?B?VFQ=?= wrote on 10 aug 2004 in
microsoft.publi c.inetserver.as p.general: As title
please elaborate.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
1) Assume I have an asp page (insertRecord.a sp) on my server, the page simply
do somthing if request.form("F ormAction")="sa ve", then insert a record in db.
2) I create a html page locally saved in my own hard disk and the page
contains the tag <FORM name="LocalPage "
action="https://server/insertRecord.as p" method="post">, then I SUBIMT it to
the server's insertRecord.as p.
3) The result: It works!!!
Question:
How can I prevent this case?
The Problem is that user can edit the html page which located in his hard
disk and then submit it to my asp on the server.
Any server variable or other means can check and prevent the user to do this?
Thank you very much.
"Evertjan." wrote: =?Utf-8?B?VFQ=?= wrote on 10 aug 2004 in
microsoft.publi c.inetserver.as p.general:
As title
please elaborate.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
=?Utf-8?B?VFQ=?= wrote on 10 aug 2004 in
microsoft.publi c.inetserver.as p.general: 1) Assume I have an asp page (insertRecord.a sp) on my server, the page
simply do somthing if request.form("F ormAction")="sa ve", then insert a
record in db. 2) I create a html page locally saved in my own hard
disk and the page contains the tag <FORM name="LocalPage "
action="https://server/insertRecord.as p" method="post">, then I SUBIMT
it to the server's insertRecord.as p.
3) The result: It works!!!
Question:
How can I prevent this case?
The Problem is that user can edit the html page which located in his
hard disk and then submit it to my asp on the server.
Any server variable or other means can check and prevent the user to
do this?
<%
If request.serverv ariables("remot e_addr") = "127.0.0.1" Then 'for localhost
%>
or your factual lan ip if you are accessing this page outside your
localhost "192.168.1. 7" or so. Or you can detect a range.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Dear Evertjan
Thanks for your reply.
What I want to do is:
- "PREVENT the user who edit the html page which is the response of my asp".
After editing from his local version and then submit to my server's asp. As a
result, he can overcome some logic or hidden value in my previously responsed
html page.
e.g. The responsed html page has a hidden value (record id) in the html
page. The user save the html page to local, then modify the hidden id and
submit it again. As a result, he may be able to update another record (which
he is suppose not be able to view or edit)
Please advise.
Thanks.
"Evertjan." wrote: =?Utf-8?B?VFQ=?= wrote on 10 aug 2004 in
microsoft.publi c.inetserver.as p.general: 1) Assume I have an asp page (insertRecord.a sp) on my server, the page
simply do somthing if request.form("F ormAction")="sa ve", then insert a
record in db. 2) I create a html page locally saved in my own hard
disk and the page contains the tag <FORM name="LocalPage "
action="https://server/insertRecord.as p" method="post">, then I SUBIMT
it to the server's insertRecord.as p.
3) The result: It works!!!
Question:
How can I prevent this case?
The Problem is that user can edit the html page which located in his
hard disk and then submit it to my asp on the server.
Any server variable or other means can check and prevent the user to
do this?
<%
If request.serverv ariables("remot e_addr") = "127.0.0.1" Then 'for localhost
%>
or your factual lan ip if you are accessing this page outside your
localhost "192.168.1. 7" or so. Or you can detect a range.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
=?Utf-8?B?VFQ=?= wrote on 10 aug 2004 in
microsoft.publi c.inetserver.as p.general: "Evertjan." wrote:
=?Utf-8?B?VFQ=?= wrote on 10 aug 2004 in
microsoft.publi c.inetserver.as p.general: > 1) Assume I have an asp page (insertRecord.a sp) on my server, the
> page simply do somthing if request.form("F ormAction")="sa ve", then
> insert a record in db. 2) I create a html page locally saved in my
> own hard disk and the page contains the tag <FORM name="LocalPage "
> action="https://server/insertRecord.as p" method="post">, then I
> SUBIMT it to the server's insertRecord.as p.
> 3) The result: It works!!!
>
> Question:
> How can I prevent this case?
> The Problem is that user can edit the html page which located in
> his hard disk and then submit it to my asp on the server.
> Any server variable or other means can check and prevent the user
> to do this?
<%
If request.serverv ariables("remot e_addr") = "127.0.0.1" Then 'for
localhost %>
or your factual lan ip if you are accessing this page outside your
localhost "192.168.1. 7" or so. Or you can detect a range.
What I want to do is:
- "PREVENT the user who edit the html page which is the response of my
asp". After editing from his local version and then submit to my
server's asp. As a result, he can overcome some logic or hidden value
in my previously responsed html page.
e.g. The responsed html page has a hidden value (record id) in the
html page. The user save the html page to local, then modify the
hidden id and submit it again. As a result, he may be able to update
another record (which he is suppose not be able to view or edit)
[please do not toppost on usenet]
That is aother matter.
If the html page is on a not trusted user's machine [since you seem to
have sent it to him/her, correct?], you cannot prevent him/her to edit it
and use all the knowledge in that file.
Security is never assured if crucial files are on the client['s ]side.
So, do not send this file to a non-trusted user.
[The user rightly should not trust YOU, and be an idiot for uploading
executables, even html, from YOU. No offence intended, but trust
is/should be mutual.]
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
You could :
- check before updating that access to this id is allowed to the user
- create a kind of checksum on hidden values so that you can check if the
user changed a value in your form
- crypt hidden values (either really or by using a "handle" that in turns
will return server side the actual value to use)
- other ?
Patrice
--
"TT" <TT@discussions .microsoft.com> a écrit dans le message de
news:E5******** *************** ***********@mic rosoft.com... Dear Evertjan
Thanks for your reply.
What I want to do is:
- "PREVENT the user who edit the html page which is the response of my
asp". After editing from his local version and then submit to my server's asp.
As a result, he can overcome some logic or hidden value in my previously
responsed html page.
e.g. The responsed html page has a hidden value (record id) in the html
page. The user save the html page to local, then modify the hidden id and
submit it again. As a result, he may be able to update another record
(which he is suppose not be able to view or edit)
Please advise.
Thanks.
"Evertjan." wrote:
=?Utf-8?B?VFQ=?= wrote on 10 aug 2004 in
microsoft.publi c.inetserver.as p.general: 1) Assume I have an asp page (insertRecord.a sp) on my server, the page
simply do somthing if request.form("F ormAction")="sa ve", then insert a
record in db. 2) I create a html page locally saved in my own hard
disk and the page contains the tag <FORM name="LocalPage "
action="https://server/insertRecord.as p" method="post">, then I SUBIMT
it to the server's insertRecord.as p.
3) The result: It works!!!
Question:
How can I prevent this case?
The Problem is that user can edit the html page which located in his
hard disk and then submit it to my asp on the server.
Any server variable or other means can check and prevent the user to
do this?
<%
If request.serverv ariables("remot e_addr") = "127.0.0.1" Then 'for
localhost %>
or your factual lan ip if you are accessing this page outside your
localhost "192.168.1. 7" or so. Or you can detect a range.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
You've just described a form of Cross Site Scripting Attack wich is becoming more and more of a problem to the sites I develop. Depending on the situation I am coding for I do a combination of things.
Like Tom suggested I will check that Request.ServerV ariables("HTTP_ REFERER") variable is coming from a set path I want the user to follow, if it doesnt then something is going wrong. This kind of
attack usually happens with e-commerce checkout processes. If this is the case you really should check the price coming in to the price you should have. It gets complicated having to over code these
kinds of things but thats what a secure site needs. Secondly, I check session variables. Because they are created on the server they are hard to fake, using a SessionID for a user that hits the site
will add another layer of checking. Again it depends on the situation and what you're coding for but these are 2 things I use.
- Bastard
On Tue, 10 Aug 2004 10:01:54 -0400, "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote: "TT" <TT@discussions .microsoft.com> wrote in message
news:87******* *************** ************@mi crosoft.com... As title
Check Request.ServerV ariables("HTTP_ REFERER") to make sure it is equal to
your form page. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Axel Foley |
last post by:
Hi Folks,
i'm newbie at JS; but "learning by tweaking" is my middle name!
Trying to set up a link partnership application on a client's site; got this
script at "The Javascript Source", but it does not work for me.
If anyone would be so kind as to comb it for apparent flaws, I would be
greatly indebted!
My <form> statement includes the...
|
by: Zhang Weiwu |
last post by:
This is really very stange. I have a form like this:
<form id="form_A"> xxxx </form>
This form is on one page in a page of a web application, it is the only
form on that page. on the end of the page in javascript:
document.getElementById("form_A").submit();
In the begining it works very well, after I restarted the browser and
did some...
|
by: catherine.bajis |
last post by:
I have a small project to create some simple HTML forms. Rather than
have our users go to our web page and 'SUBMIT' the form data, it would
be easier for them to fill out a simple standalone form, save it as an
HTML page and send the page as an attachment in an email for uploading
by the recipient. How feasible is this? and what HTML tags...
|
by: Ørjan Langbakk |
last post by:
I have a form where the user has the possibility to enclose his name.
email, address and phonenumber.
I want to be able to check if some of the fields are filled - at least
one. This is so that we have some way to contact the customer.
Today I check for the existence of an email-address, and a validation
code - what I need is a way to...
|
by: FAQ server |
last post by:
-----------------------------------------------------------------------
FAQ Topic - How do I get the value of a form control?
-----------------------------------------------------------------------
In HTML documents, named forms may be referred to as named
properties of the « document.forms » collection, and named form
controls may be...
| | |
by: Jerim79 |
last post by:
I need to create a form that takes a number that the user enters, and
duplicates a question the number of times the user entered. For
instance, if the customer enters 5 on the first page, when they press
next the form generates "How old are you?" 5 times on the page. The
customer will answer all 5 questions then press next. Finally, all the...
|
by: David W. Fenton |
last post by:
I've been struggling the last two days with something I thought was
very easy, which is to open a web page with a form on it and
populate the form with data passed in a query string (either POST or
GET).
I got Application.FollowHyperlink *kind* of working, but was having
problem with double encoding of some characters (I had to do special...
|
by: Twayne |
last post by:
Hi,
Newbie to PHP here, no C or other relevant background, so pretty niave
w/r to the nuances etc. but I think this is pretty basic.
XP Pro, SP2+, PHP 4.4.7, XAMPP Local Apache Server 6.something I think
and running as a service, Using NoteTab Pro as an IDE (works well). If
you need more, just ask.
In one functioning form:
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
| | |
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...
| |
