I have created hidden form and it will be contain hidden input and javascript submit. But while form is submitted, user can view the source of page and will know all values of it. How can I hide this form or encrypt it so that user can not know values from even source of html.
You could encrypt the data (using standard strong encryption) on the server and store the result in the form.
Standard practise, however, is to not give sensitive data to the client in the first place. Store the data on the server, associate it with a token, then give that token to the client.
Sessions are the standard approach for doing that.
If this information is sensitive, don't post it on the page at all.
Keep the data on the server and have a token to correlate the request with it.
You can't. Maybe you can hide stuff from an average user, but given enough skills data that's available to the user can be read / manipulated by the user. The right practice is to store data at the server and associate it with a user.
For example, you can have a look at PHP sessions.
Related
I want to create a feedback form where the users input data and when they press submit button, all the data entered is received by the admin at an email address which has been predefined in the code.
i don't want to use "mailto" as it opens another service. Is there any way to send data to email through the HTML form itself?
Forms send data to the URL specified in the action attribute.
mailto: URLs, which you have sensibly ruled out, are highly unreliable.
The only other kind of URL which can be usefully used is an http(s) URL where it is then processed by server side code.
If you want to send the emails to a different address then you need to change the server side code so it doesn't use a single address.
After a lot of research, I have decided to use https://formsubmit.co for this purpose. The details are present in their documentation.
It was exactly what I wanted, and completes my requirements. Thank you to everyone for their help.
I am trying to redirect my user from a html page to a jsp page which has been deployed on tomcat/webapps using .war file.
While doing so, I am also sending the session information of the user as an hidden parameter via POST method.
With the help of burpsuite tool(security testing tool) one can easily manipulate the cookie and change the username of the user logged in. How will I be able to block such kind of cookie manipulation?
You cannot control/prevent what the browser/client is sending, so do not consider the data received as fact/true. Your application shouldn't just look at the username and say "oh, it's the admin user, I show the whole admin area".
To prevent tampering the data originated from the server or at least detect changes, you use encryption or digital signatures. With encrypted data, it is not possible to change the data. You don't know how to decrypt the data and encrypt the changed data correctly since you don't have the encryption key to do so. With signed data you can still read the data but the signature makes sure that you can detect, if the data has been changed.
In your case, you can use a JWT instead of just the username. The JWT contains a digital signature which is used to check if the data has been changed. Your "testing team" can change the data but your server can see immediately that it has been changed and reject the received (changed) information.
I'm working on a project that I'm using stripe to handle payment processing, as part of this I've created a form for collecting card information, my problem is that I want to submit some of the data to be sent to my server (like name and email address), but other parts (the card details) I don't since they're processed by stripe so there's no point sending them to my server.
I'm not sure how I can do this though, since the input fields that I do and don't want to send are all mixed together, so I can't just wrap the parts I do want in the form tag and not the rest.
Is the a flag on a form field that I can set so that it isn't submitted with the form?
Any help would be greatly appreciated.
Using Javascript or Ajax may be the best way
Get values and trigger for differentes urls
Check this link: send specific part of the form fields to server using ajax?
How can we submit a form without Javascript and not by pressing any buttons?
I need to transfer a content to another file when a function works under certain conditions. Both the files are written in Perl. The pages are loaded in a webserver(same). I need to transfer a value, which the user doesn't want to know what I'm sending. So I came up with the post method is safe.
But there I didn't find any ways to redirect a URL where the values are transmitted in post method. So I came up with the form submission. But the problem is I need to use javascript or make user to press a button to complete the task.
The problem with Js is there some users who disable JS in their browsers.
So using it is not preferable. With the button,
I can't make the user to do that for me.
Is there any other scripting language, which supports such functionality?
There are some conditions that I can't use session
What I did is encryption for identifying the user from knowing what data is transmitted. The receiving page will decrypt it when it is required. But it's not what I needed.
I need to transfer a value, which the user doesn't want to know what I'm sending. So I came up with the post method is safe.
It isn't. If you pass it through the user's browser, then the user can see it.
Is there any other scripting language, which supports such functionality?
No. There is no programming language as well supported in browsers as JavaScript, and none that are harder to disable then JS.
Store the value on the server (you could use a session) and redirect the user with a normal 302 status and Location header. You can pass a session token via cookies or the query string.
You can't make a user do anything, unless you're writing for a browser the equivalent of a trojan.
But secondly, without something on the client side, you can't ensure that you can get information that you didn't have when you sent the page.
You could place some links, and know which links they clicked on by passing it through a central tracking program, but those links wouldn't have anything in them that didn't originate on the server without client script running.
Still, despite that you can entice a user to click on a link more than a simply functional button, in either case you can't get guaranteed new information from them. They can always close the tab, close the browser, or press the back button. This goes back to point #1: you can't make users do anything.
In my site, users can only modify their personal information only once a day. Script-side, I determine if they are allowed to (i.e. check with the database if it's been 24 hours since the last modification) and whether or not to display the form.
My question is, could a malicious user manage to submit information if there's no form? In other words, if there is no FORM element no data should be submitted by the user's browser, right?
What I'm afraid of is that if someone manages to send the data, the script would still process it and change the personal information when it shouldn't.
Of course - this would be a kind of replay attack. So long as your resource endpoint will handle a malicious POST request, regardless of the content of the preceding GET then you're vulnerable.
Remember: never trust the client. Provided that you do authentication and authorization checks before handling a POST request then you'll be fine.
Yes, a malicious user can still send data even without the form, if he knows the url of the page which accepts the data and their corresponding attributes it expects. He can then easily create a form with that info and submit the data.
So you basically need to validate the data at the server-side.
YES
For example someone could use curl.
curl -d profile=value http://www.yoursite.com/profile
You could prevent such attacks with a CSRF token you send along with your form.
See this article for more background http://shiflett.org/articles/cross-site-request-forgeries.