Send modified javascript

Question

Imagine a javascript command that sends a parameter to PHP. let's imagine that he always send as follows:

var data_id = 'login =' +user_login+ 'password =' + user_pass;

The code is below:

$.ajax({
      type: "POST",
      url: "functions/a-php/read/read_config.php",
      data: data_id,
      cache: false,
      success: function(data_o){

      }
  });

I wonder if the User or perhaps a hacker can modify that variable data_id, and instead of sending a parameter login =, he sends a parameter with the name google=, he can do it?

They probably can as JavaScript is a client based language. You should be verifying the data sent in your read_config.php anyways though. So it shouldn't be an issue in regards to hacking. — Zera42, Dec 22 '13 at 19:55
Attackers can send any HTTP request they want. It doesn't matter what JS code you write. — SLaks, Dec 22 '13 at 19:56
Don't build query strings by hand. If a user used (for example) a `&` in their password, that would break. You can use `encodeURIComponent` to deal with that, but jQuery has an escaping system built in: `data: { login: user_login, password: user_pass }` — Quentin, Dec 22 '13 at 19:59

Quentin · Answer 1 · 2013-12-22T20:00:08.653

Yes. A user can send whatever they like to your server.

You don't control anything beyond the edge of your server. What goes on in the browser and what arrives at your server are under the control of the client and the client's user.

In general:

Let unknown query string arguments be ignored
Use authentication to determine trust before authorisation
Implement the usual defences against
- SQL injection
- CSRF
- XSS

score 1 · Answer 2 · answered Dec 22 '13 at 19:57

1

Besides what Quentin wrote, this is why you need to validate form data in the server. So, in this case, functions/a-php/read/read_config.php has to check the value of data_id to be sure it specifies only what you expect it to.

answered Dec 22 '13 at 19:57

yitwail

1,999
3
20
27

score 0 · Answer 3 · edited May 23 '17 at 12:28

It sounds like you want to round-trip sensitive data through an untrusted user-agent -- i.e. you want to verify that data that you received is the same as data you sent.

If that's what you want to do, you can use signature checking.

In PHP, openssl_sign and openssl_verify can be used to sign data and verify it.

Note that signing may make the string on the user-agent look encrypted, but it's not. If you want to prevent the user-agent from reading the password, you need to encrypt too.

Alternatively, you can store your string in a database keyed by a crypto-strong pseudo-random key and just send that opaque key to the client.

Secure random number generation in PHP addresses generating unguessable random keys in PHP.

If it's not a round-tripping problem and you're dealing with a third-party that is sending the username and password, you should really stop taking passwords in the clear.

Send modified javascript

3 Answers3