Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Preventing Hacking of Javascript

Status
Not open for further replies.
drkestrel

drkestrel

MIS
Sep 25, 2000
439
GB
Javascript validation functions in pages generated from ASP could be 'by-passed' by user by saving the ASP page and removing the Javascript validation and then submitting from form.

I would like to prevent that happening (possibly ) by examing the Request object. But I don't have any luck with figuring out whether the request came from or c:\hackedpage.html

I tried looking at
The following always return the server's host name
Request.ServerVariables("SERVER_NAME")

The following always return the path on server
Request.ServerVariables("SCRIPT_NAME")
Request.ServerVariables("PATH_INFO")

The following always return the current ASP's path on server (i.e. c:\inetpub\wwwroot\....)
Request.ServerVariables("PATH_TRANSLATED")

The following always return empty string/i]
Request.ServerVariables("QUERY_STRING")
Request.ServerVariables("REMOTE_USER")
Request.ServerVariables("PATH")

Any help would be appreciated.
 
Sort by date Sort by votes
i figured out I could use HTTP_REFERRER, but
1) It won't work for the "First" page.
2) That won't be set where Page.Redirect is use in ASP VB Script.
 
Upvote 0 Downvote
Hi,
Lets see how this method works out for you.

Instead of using a Submit button (
Code: 
<INPUT TYPE=SUBMIT>
), try using a plain Button(
Code: 
<INPUT TYPE=BUTTON>
). Submit the form programmatically with the OnClick event of the button.

Let us know if this technique works.

Thank you...
RR

 
Upvote 0 Downvote
&quot;Why not validate on the server side?&quot; means that client-side vaidation of input is just a convenience for the user. If you trust the data that you get from the client based on &quot;client side&quot; validation then you are playing with fire. Anybody using Web Browser Control or Inet can bypass all your JavaScript &quot;on the fly&quot;. Compare Code (Text)
Generate Sort in VB or VBScript
 
Upvote 0 Downvote
I think perhaps I've been misunderstood. The problem you identified was the following:

&quot;Javascript validation functions in pages generated from ASP could be 'by-passed' by user by saving the ASP page and removing the Javascript validation and then submitting from form.&quot;

If the problem is the JavaScript, get rid of it and validate the form on the server side using ASP when passing the data from the Web Form to whatever medium you are storing it in. The problem isnt finding out who can hack your page, its eliminating the threat. The over head involved with checking string variables on the server-side is almost insignificant if considering that doing so will eliminate your JavaScript problem and more importantly, the threat of having your Web Application hacked.

sjuarez1979
 
Upvote 0 Downvote
How about this ?

Set a cookie or a session variable in the previous page(the one with FORM elements), and check if it exists the subsequent page. If it doesn't, that implies it is an invalid submission.

Thank you...
RR

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

leifoet
  • Locked
  • Question
First execute an input command and only then proceed with displaying the next record of the table
Replies
0
Views
328
leifoet
leifoet
leifoet
  • Locked
  • Question
How to update the content of radio buttons in a database?
Replies
2
Views
222
leifoet
leifoet
penguinspeaks
  • Locked
  • Question
2 columns of data
Replies
0
Views
170
penguinspeaks
penguinspeaks
leifoet
  • Locked
  • Question
How to display the contents of a drop-down list in a column structure ?
Replies
2
Views
172
leifoet
leifoet
greenber
  • Locked
  • Question
Accessing an Access database in JavaScript - Classic ASP 1
Replies
6
Views
215
guitarzan
guitarzan

Part and Inventory Search

Sponsor

Back
Top