Check if user changed POST request

2

I have a javascript application that runs on the client side, in this application the user can trigger events that communicate with the server of my site through a POST request. However, I need to ensure that the user does not have forged the data prepared by this application. For example, the user can intercept the connection before it exits your machine and change the attributes of the variables I'm passing through POST.

In another example: we can assume that this variable is a punctuation and the actual information is to credit 10 points in the account of a certain user, but it can intercept this communication, change it and send a false request for the server to credit 1,000 points . This is not a validation error because both values are numeric and therefore will be accepted on the server, nor is it SSL, because the user is acting in bad faith, changing the data before they leave your machine . How can I validate this data for manipulation? I've seen some websites using hash for this, but I do not quite understand how this can be done.

    
asked by anonymous 12.11.2015 / 12:39

2 answers

5

Sensitive information should never depend on the client-side ¹ because Javascript encryption is useless .

The transparency offered by today's browsers makes all your code and information readable and changeable in just a few clicks. This does not mean that older browsers made the web more secure. On the contrary, in the past, it was easier for a developer to believe that their application was safe when using any kind of complication such as JavaScript encryption, compiled application (Flex / Actionscript), etc.

CSRF tokens can help you prevent someone from forging a call to your server from another source (cURL, CORS, etc.), but will not guarantee that the remaining information being passed will be as good as expected.

You can use a combination of CSRF with SSL / TLS to encrypt the connection between the client and the server, avoid possible tampering with the javascript files, and ensure that the response came from your application, but it does not justify relying on the client- side to provide sensitive information.

Update

Responding to the comment, any security mechanism you can think of using Javascript in browsers has been thought of before, it's not a clutter, but rather the mechanics like Javascript works in the browser. Even if you create a public key by the server for the client to use this key and you guarantee that the information was encrypted using a valid key, the end user still has the information before and then to encrypt it. The same ease of forging data that does not represent reality with and without such a mechanism is the same, as the client will only tamper with the information before it is encrypted.

If you are depending on your client's secure information, you need to rethink your application.

  • What action does the customer perform that guarantees you the right points?
  • Who has a financial obligation to create this score?
  • Are there multiple actions, each with a different punctuation value?
  • Can the same action result in different scores?
  • Is a person able to acquire points while offline and synchronize when online ?

Each question you can think of about your model can better specify where your problem lies. If your customer earns points offline, you need to think of coupon forms, such that a coupon has a generated code that makes it mathematically unlikely that someone will be able to "find" it randomly. If your customer earns points when making a purchase, it may be the institution's own responsibility to ensure the authenticity of the information. If a specific action is only able to generate a specific number of points, this score can be stored server-side.

    
13.11.2015 / 01:32
0

Here's a tip that might be helpful:

The data you send to your form, save it in a session

You will fill in the values below with the data that will come from the bank, which will look like this:

$_SESSION['esperado'] = ['preco' => '1000', 'quantidade' => '1', 'desconto' => '10'];

And then when you receive the submission, make sure nothing important has changed

$dadosRecebidos = [
    'preco'      => $_POST['preco'],
    'quantidade' => $_POST['quantidade'],
    'desconto'   => $_POST['desconto']
];

$diferenca = array_diff($_SESSION['esperado'], $dadosRecebidos);

 if ( $diferenca) {
    throw new Exception("Os dados foram alterados");
}

Depending on the case, instead of saving the data in a session, you can also save it to the bank, and do the same verification when the form is submitted

    
14.02.2017 / 01:50