0

I have a function in the back-end that relies on the property names of an object, which is sent using AJAX with AngularJS. Can a user alter the property names using a debug tool, therefore changing what I would normally expect in the back-end? I suppose doing that would also affect the entire app in general if it was possible.

I guess it's kind of like someone using a debug tool to change the name attribute on a form and then submitting it. So I was curious to know if it's something I should ever keep in mind for AngularJS. I hope that makes sense.

Nasreddine
  • 36,610
  • 17
  • 75
  • 94
kenshin9
  • 2,215
  • 4
  • 23
  • 38
  • possible duplicate of [JavaScript: client-side vs. server-side validation](http://stackoverflow.com/questions/162159/javascript-client-side-vs-server-side-validation) – Tobia Tesan Sep 04 '15 at 05:26

1 Answers1

1

If user is smart enough, he or she can change mostly everything using developer tools browser brings. What is more, if back-end endpoint is known, it easy to mock custom request with custom data.

You should always validate request since everything what doesn't come directly from your code can lead to security break.

The big downside of Ajax is that its requests are easily debugged using dev tools and, if are not designed correctly, expose your internal structures.

kamil-mrzyglod
  • 4,948
  • 1
  • 20
  • 29
  • *"The big downside of Ajax is that its requests are easily debugged"* - wait, is that a downside? :P – Tobia Tesan Sep 04 '15 at 07:58
  • @TobiaTesan Hah, yeah, according to the topic's context it is a downside ;) From dev perspective it has both pros and cons. – kamil-mrzyglod Sep 04 '15 at 08:12
  • Joking aside, if that happens to be a downside for you, you are probably relying - knowingly or unknowingly - on security through obfuscation and your design is very broken. As you very well said, user input is *never* to be trusted and AJAX calls are just that :) – Tobia Tesan Sep 04 '15 at 08:25