1

This might sound silly, but as a developer, I'm using the debugger in Chrome every day to test my web applications, but although these tools are valuable for us developers, it might also be used against us by users how wants to mess with our systems.

You probably know that it is fairly easy, using the debugger, to re-enable a button that was previously set to disabled, or change the value of hidden tags or variables. It would then be easy to post a form that is not suppose to be sent, with forged values...

Would it be a way to prevent all debbugging tools to be used when your page is displayed in production environment?

Some sort of meta tags that could be added to the web page, or something else?

I know I could scramble my JS scripts but is there any other ways?

Thanks

fled
  • 161
  • 1
  • 5
  • 12
  • 8
    You should not be relying on JavaScript for security or validation. You should always have server side validation ensuring that the data you receive from users is in the format you expect. – John Conde Jan 02 '14 at 16:19
  • ^ +1 that plus you could simply disable javascript entirely and circumvent all that. But as far as I know there's no way to control a users browser like that using javascript – Sterling Archer Jan 02 '14 at 16:21
  • 1
    The _only_ way to guarantee on the client side that a user doesn't enable a disabled button is to not provide the button in the first place. (Server-side, you can have session information, including whether that button was set to the client as enabled or disabled.) – Scott Mermelstein Jan 02 '14 at 16:23

3 Answers3

4

No, this is not possible. As John Conde said you should use server-side validation to protect against invalid input. Even without a "debugger" as you call them, a user can always GET/POST a request (with bogus data) to your form submission URL.

TypeIA
  • 16,916
  • 1
  • 38
  • 52
  • Totaly agree on that, and this is what I'm doing every day, but I thought that their could be tag that could prevent the user to execute the debugging tool. What @RUJordan is proposing would be pretty radical and would lead to a very boring user experience... – fled Jan 06 '14 at 15:30
  • Of course, scrambling my JS is also a great idea to prevent user from understanding the mechanics behind the page, that would ease its hacking efforts... – fled Jan 06 '14 at 15:38
3

JavaScript validation is for improving the user experience, not for protecting your data; it runs on the client, so a malicious client can always change it. Anything sent to the server needs to be validated by the server, where the client can't mess with or bypass the validation.

In addition to debuggers, there are tools such as cURL that can be used to send any GET or POST request to your server. As a developer, cURL is pretty handy for letting servers communicate with each other (the time I used it, it was because my database was on a different web server than my UI), but it means that your server has to be able to safely handle any request sent to it, even those your JavaScript does not allow.

0

I have 2 ideas to limit this to 80%.

  1. Prohibit right clicking
  2. Use the setInterval function to monitor the change of html tags. If it is changed back to the original value or redirects the website to any other address, for example google.com.
slfan
  • 8,950
  • 115
  • 65
  • 78
huy
  • 174
  • 1
  • 4