23
Mitiko
6y

You can't build a webapp and trust people won't mess with the browser

Comments
  • 0
    Weird thing is they actually used IE insted of Chrome or Edge
  • 8
    Eh? You can not disable the developer console on the browser. Even if you "disable" it in electron there are still ways to get that console there.
  • 0
    @fuckwit Didn't know that... this means the whole idea to make it web was doomed
  • 1
    Someone actually changed the contents of the web app using console? Is this a sanitization problem?
  • 3
    @Mitiko any scripts that run client side can be modified and manipulated. There is nothing you can do to stop that. What you can do is validate on the server side to make sure nothing malicious can come through or do anything.
  • 11
    Oh no, they changed the displayed markup on their end! Whatever shall I do? 🙄
  • 2
    Such 1337 AF h4x0rman :P
  • 3
    @bigus-dickus client side validation is there for UX experience and to save server load and bandwidth.
  • 0
    @yatanvesh I did.
    @bigus-dickus Don't develop PWAs for when the whole system is given to the user to log in. Also client-side validation doesn't matter if someone just changes the text in h1
    @qwerty77asdf You can at least make it an app if you are going to give it to the user himself. See my response to bigus-dickus
    @DLMousey I didn't thought of that solution, but it is impossible if it's a form, you'd have to store the info in cookies. If you can't finish the operation the next user has access to the previous cookies. Still it's just a browser, you can exit it
  • 0
    @DLMousey I am not trying to show off my h4x0r skills, I found a vulnerable system and I expected propositions of solutions. This rant was created to inform others not to do that. I am no hacker, I know nothing about security really.

    People didn't understand what the actual issue was here (a browser was given to a user) and except though it was a client validation problem.
  • 0
    @DLMousey It was me who gave no context, I'm sorry. This is a computer that's given to users to sign themselves in and save time. The problem is noone is watching the computer and the user is provided with a browser.
    I changed the text just for the image. I then refreshed the browser. My idea was to show how this is way easier and similiar to XSS attacks
Add Comment