8 1976
=?Utf-8?B?VFQ=?= wrote on 10 aug 2004 in
microsoft.public.inetserver.asp.general: As title
please elaborate.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
1) Assume I have an asp page (insertRecord.asp) on my server, the page simply
do somthing if request.form("FormAction")="save", then insert a record in db.
2) I create a html page locally saved in my own hard disk and the page
contains the tag <FORM name="LocalPage"
action="https://server/insertRecord.asp" method="post">, then I SUBIMT it to
the server's insertRecord.asp.
3) The result: It works!!!
Question:
How can I prevent this case?
The Problem is that user can edit the html page which located in his hard
disk and then submit it to my asp on the server.
Any server variable or other means can check and prevent the user to do this?
Thank you very much.
"Evertjan." wrote: =?Utf-8?B?VFQ=?= wrote on 10 aug 2004 in microsoft.public.inetserver.asp.general:
As title
please elaborate.
-- Evertjan. The Netherlands. (Please change the x'es to dots in my emailaddress)
=?Utf-8?B?VFQ=?= wrote on 10 aug 2004 in
microsoft.public.inetserver.asp.general: 1) Assume I have an asp page (insertRecord.asp) on my server, the page simply do somthing if request.form("FormAction")="save", then insert a record in db. 2) I create a html page locally saved in my own hard disk and the page contains the tag <FORM name="LocalPage" action="https://server/insertRecord.asp" method="post">, then I SUBIMT it to the server's insertRecord.asp. 3) The result: It works!!!
Question: How can I prevent this case? The Problem is that user can edit the html page which located in his hard disk and then submit it to my asp on the server. Any server variable or other means can check and prevent the user to do this?
<%
If request.servervariables("remote_addr") = "127.0.0.1" Then 'for localhost
%>
or your factual lan ip if you are accessing this page outside your
localhost "192.168.1.7" or so. Or you can detect a range.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Dear Evertjan
Thanks for your reply.
What I want to do is:
- "PREVENT the user who edit the html page which is the response of my asp".
After editing from his local version and then submit to my server's asp. As a
result, he can overcome some logic or hidden value in my previously responsed
html page.
e.g. The responsed html page has a hidden value (record id) in the html
page. The user save the html page to local, then modify the hidden id and
submit it again. As a result, he may be able to update another record (which
he is suppose not be able to view or edit)
Please advise.
Thanks.
"Evertjan." wrote: =?Utf-8?B?VFQ=?= wrote on 10 aug 2004 in microsoft.public.inetserver.asp.general: 1) Assume I have an asp page (insertRecord.asp) on my server, the page simply do somthing if request.form("FormAction")="save", then insert a record in db. 2) I create a html page locally saved in my own hard disk and the page contains the tag <FORM name="LocalPage" action="https://server/insertRecord.asp" method="post">, then I SUBIMT it to the server's insertRecord.asp. 3) The result: It works!!!
Question: How can I prevent this case? The Problem is that user can edit the html page which located in his hard disk and then submit it to my asp on the server. Any server variable or other means can check and prevent the user to do this?
<% If request.servervariables("remote_addr") = "127.0.0.1" Then 'for localhost %>
or your factual lan ip if you are accessing this page outside your localhost "192.168.1.7" or so. Or you can detect a range.
-- Evertjan. The Netherlands. (Please change the x'es to dots in my emailaddress)
=?Utf-8?B?VFQ=?= wrote on 10 aug 2004 in
microsoft.public.inetserver.asp.general: "Evertjan." wrote:
=?Utf-8?B?VFQ=?= wrote on 10 aug 2004 in microsoft.public.inetserver.asp.general: > 1) Assume I have an asp page (insertRecord.asp) on my server, the > page simply do somthing if request.form("FormAction")="save", then > insert a record in db. 2) I create a html page locally saved in my > own hard disk and the page contains the tag <FORM name="LocalPage" > action="https://server/insertRecord.asp" method="post">, then I > SUBIMT it to the server's insertRecord.asp. > 3) The result: It works!!! > > Question: > How can I prevent this case? > The Problem is that user can edit the html page which located in > his hard disk and then submit it to my asp on the server. > Any server variable or other means can check and prevent the user > to do this? <% If request.servervariables("remote_addr") = "127.0.0.1" Then 'for localhost %>
or your factual lan ip if you are accessing this page outside your localhost "192.168.1.7" or so. Or you can detect a range.
What I want to do is: - "PREVENT the user who edit the html page which is the response of my asp". After editing from his local version and then submit to my server's asp. As a result, he can overcome some logic or hidden value in my previously responsed html page.
e.g. The responsed html page has a hidden value (record id) in the html page. The user save the html page to local, then modify the hidden id and submit it again. As a result, he may be able to update another record (which he is suppose not be able to view or edit)
[please do not toppost on usenet]
That is aother matter.
If the html page is on a not trusted user's machine [since you seem to
have sent it to him/her, correct?], you cannot prevent him/her to edit it
and use all the knowledge in that file.
Security is never assured if crucial files are on the client['s ]side.
So, do not send this file to a non-trusted user.
[The user rightly should not trust YOU, and be an idiot for uploading
executables, even html, from YOU. No offence intended, but trust
is/should be mutual.]
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
You could :
- check before updating that access to this id is allowed to the user
- create a kind of checksum on hidden values so that you can check if the
user changed a value in your form
- crypt hidden values (either really or by using a "handle" that in turns
will return server side the actual value to use)
- other ?
Patrice
--
"TT" <TT@discussions.microsoft.com> a écrit dans le message de
news:E5**********************************@microsof t.com... Dear Evertjan Thanks for your reply.
What I want to do is: - "PREVENT the user who edit the html page which is the response of my
asp". After editing from his local version and then submit to my server's asp.
As a result, he can overcome some logic or hidden value in my previously
responsed html page.
e.g. The responsed html page has a hidden value (record id) in the html page. The user save the html page to local, then modify the hidden id and submit it again. As a result, he may be able to update another record
(which he is suppose not be able to view or edit)
Please advise. Thanks.
"Evertjan." wrote:
=?Utf-8?B?VFQ=?= wrote on 10 aug 2004 in microsoft.public.inetserver.asp.general: 1) Assume I have an asp page (insertRecord.asp) on my server, the page simply do somthing if request.form("FormAction")="save", then insert a record in db. 2) I create a html page locally saved in my own hard disk and the page contains the tag <FORM name="LocalPage" action="https://server/insertRecord.asp" method="post">, then I SUBIMT it to the server's insertRecord.asp. 3) The result: It works!!!
Question: How can I prevent this case? The Problem is that user can edit the html page which located in his hard disk and then submit it to my asp on the server. Any server variable or other means can check and prevent the user to do this?
<% If request.servervariables("remote_addr") = "127.0.0.1" Then 'for
localhost %>
or your factual lan ip if you are accessing this page outside your localhost "192.168.1.7" or so. Or you can detect a range.
-- Evertjan. The Netherlands. (Please change the x'es to dots in my emailaddress)
You've just described a form of Cross Site Scripting Attack wich is becoming more and more of a problem to the sites I develop. Depending on the situation I am coding for I do a combination of things.
Like Tom suggested I will check that Request.ServerVariables("HTTP_REFERER") variable is coming from a set path I want the user to follow, if it doesnt then something is going wrong. This kind of
attack usually happens with e-commerce checkout processes. If this is the case you really should check the price coming in to the price you should have. It gets complicated having to over code these
kinds of things but thats what a secure site needs. Secondly, I check session variables. Because they are created on the server they are hard to fake, using a SessionID for a user that hits the site
will add another layer of checking. Again it depends on the situation and what you're coding for but these are 2 things I use.
- Bastard
On Tue, 10 Aug 2004 10:01:54 -0400, "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote: "TT" <TT@discussions.microsoft.com> wrote in message news:87**********************************@microso ft.com... As title
Check Request.ServerVariables("HTTP_REFERER") to make sure it is equal to your form page. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Axel Foley |
last post by:
Hi Folks,
i'm newbie at JS; but "learning by tweaking" is my middle name!
Trying to set up a link partnership application on a client's site; got this
script at "The Javascript Source", but it...
|
by: Zhang Weiwu |
last post by:
This is really very stange. I have a form like this:
<form id="form_A"> xxxx </form>
This form is on one page in a page of a web application, it is the only
form on that page. on the end of...
|
by: catherine.bajis |
last post by:
I have a small project to create some simple HTML forms. Rather than
have our users go to our web page and 'SUBMIT' the form data, it would
be easier for them to fill out a simple standalone form,...
|
by: Řrjan Langbakk |
last post by:
I have a form where the user has the possibility to enclose his name.
email, address and phonenumber.
I want to be able to check if some of the fields are filled - at least
one. This is so that...
|
by: FAQ server |
last post by:
-----------------------------------------------------------------------
FAQ Topic - How do I get the value of a form control?
-----------------------------------------------------------------------...
|
by: Jerim79 |
last post by:
I need to create a form that takes a number that the user enters, and
duplicates a question the number of times the user entered. For
instance, if the customer enters 5 on the first page, when...
|
by: David W. Fenton |
last post by:
I've been struggling the last two days with something I thought was
very easy, which is to open a web page with a form on it and
populate the form with data passed in a query string (either POST or...
|
by: Twayne |
last post by:
Hi,
Newbie to PHP here, no C or other relevant background, so pretty niave
w/r to the nuances etc. but I think this is pretty basic.
XP Pro, SP2+, PHP 4.4.7, XAMPP Local Apache Server...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |