c# - Is there a way to hide the posted Form data when the form submit is intercepted in Burp Suite or any similar tool -

-

enter image description here

is there way hide keys , values posted on form submit.as these key values can tampered hacker using security testing tools such burp suite?

while https used secure data in transit, there no practical way prevent user tampering data on machine. pretty every modern browser has built-in or add-on developer tools allow user pause script execution, change client script variables, modify html, , on.

one method can used data round-tripped , forth client server , doesn't change (such userid) encrypt data prior sending, , decrypt when returns server. mechanism take of round-trip values aren't expected change , compute hash against them stored in hidden field on page. when return, recompute hash , make sure matches up. "boblimiteduser" couldn't change username "administrator" manipulating html without breaking hash.

all of being said, underlying fact should consider data coming system not under control untrusted. final input validation should performed server-side (in addition client-side validation performed). because of "double validation" requirement, complex validation routines, i'll use webservice/ajax call perform client-side validation. client script , server code can call same routine, once during , once after submission.

if take approach validate input @ both ends (so speak), tampering shouldn't issue. if boblimiteduser wants manipulate html can change dropdown value 1 value value has access to, time waste. if manages change value causes data integrity or security issues, server-side validation there protect against.

in short

  • never trust generated client script. easy manipulate (or have old script cached browser, become outdated, , break something)
  • client side validation responsiveness , usability. server side validation data integrity , security
  • don't pass sensitive information client , trust come intact. if must, use encryption protect it, or hashing validate it.
  • don't bother trying encrypt/hash stuff client-side
  • do use https protect data during transport
  • implement logging/alerting of security related errors. way, if alerts every day boblimiteduser attempting exploit app, can talk security department , either virus removed machine, or can dealt appropriately

data validation big topic of discussion, , recommend reviewing owasp reference guide (simply information replicate here): https://www.owasp.org/index.php/data_validation

one last bit think on... if have client-script application, assume using ajax , web services transmit data. regardless of client script write, prevents malicious user using fiddler bypass not client script, browser itself, send requests directly web service? way ensure security validate @ server.


Comments

Post a Comment

Popular posts from this blog

javascript - Chart.js (Radar Chart) different scaleLineColor for each scaleLine -

-
Image
i try , create radar chart using chart.js has various colours each scaleline, or coloured between scalelines. wondering if possible? from: to: i have working graph, though there doesn't seem method change individual scale lines. kind regards leigh you can extend radar chart type this, so chart.types.radar.extend({ name: "radaralt", initialize: function (data) { chart.types.radar.prototype.initialize.apply(this, arguments); var originalscaledraw = this.scale.draw; var ctx = this.chart.ctx; this.scale.draw = function () { var linewidth = this.linewidth; // bypasses line drawing in originalscaledraw this.linewidth = linewidth; originalscaledraw.apply(this, arguments); ctx.linewidth = this.linewidth; var scale = this; // draw chart.helpers.each(scale.ylabels, function (label, index) { // color of ...
Read more

apache - Error with PHP mail(): Multiple or malformed newlines found in additional_header -

-
suddenly have started receiving above error without changes having been made script. host 1and1 (i know...) the script still works fine on different server, , suspicion there must have been server config change has lead this, although hosts plead ignorance. there's no information on above error @ in google can find - have ideas? server running apache if helps. had similar problem. came out of blue. no php code changed. what changed: php upgraded 5.5.25-1 5.5.26. a security risk in php mail() function has been fixed , newlines in additional_headers allowed no more. because newlines mean: starts email message (and surely don't want inject newlines through headers followed evil message). what have worked fine, e.g. having newlines after headers or passing whole message additional_headers , function no more. solution : sanitize headers. no multiple newlines in additional_headers argument. these count "multiple or malformed newlines":...
Read more

java - Android – MapFragment overlay button shadow, just like MyLocation button -

-
Image
i'm struggling add shadow custom overlay button on google map. goal make custom button google's mylocation button. here's how app looks now: layout.xml <relativelayout xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools" xmlns:map="http://schemas.android.com/apk/res-auto" android:layout_height="match_parent" android:layout_width="match_parent" style="@style/apptheme"> <fragment android:layout_width="match_parent" android:layout_height="match_parent" android:id="@+id/map" tools:context=".mapsactivity" android:name="com.google.android.gms.maps.supportmapfragment" android:layout_alignparentend="true" android:layout_alignparentstart="true" android:layout_alignparentbottom="true" ...
Read more