First a Engineering Manager Joke
Three men: a project manager, a software engineer, and a hardware engineer are helping out on a project. About midweek they decide to walk up and down the beach during their lunch hour. Halfway up the beach, they stumbled upon a lamp. As they rub the lamp a genie appears and says "Normally I would grant you three wishes, but since there are three of you, I will grant you each one wish."
The hardware engineer went first. "I would like to spend the rest of my life living in a huge house in St. Thomas with no money worries." The genie granted him his wish and sent him on off to St. Thomas.
The software engineer went next. "I would like to spend the rest of my life living on a huge yacht cruising the Mediterranean with no money worries." The genie granted him his wish and sent him off to the Mediterranean.
Last, but not least, it was the project manager's turn. "And what would your wish be?" asked the genie.
"I want them both back after lunch" replied the project manager.
Hacking A WebPage with the Browser
THIS IS FOR EDUCATIONAL PURPOSES FOR DEVELOPERS AND I AM NOT RESPONSIBLE FOR ANYTHING YOU GET IN TROUBLE FOR! THIS SHOWS YOU WHY YOU CAN NOT RELY ON JAVASCRIPT!
There was a post in my forum to today about hacking the browser using JavaScript:
The post: http://saloon.javaranch.com/cgi-bin/ubb/ultimatebb.cgi?ubb=get_topic&f=20&t=002855
Now this is something a lot of developers might not know, but your page is not safe from anyone that knows a little bit of JavaScript coding. Now you might be saying, it is on the client side so it does not matter what they do, but that is where you are wrong.
If a person does not have good server side protection with form submissions then they are going to be in trouble especially if calculations are performed on just the client side.
Let’s give an example: There is an online store that has a text field that is read-only with a special discount dollar amount. This dollar amount is subtracted from the total when a function is called.
Here is the code for A1ien51’s UFO Posters
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.0 Transitional//EN">
<html>
<head>
<title> Eric Pascarello </title>
<script>
function calcTotal(){
var theForm = document.test;
theForm.total.value = Math.round((theForm.amount.value * (19.99 - theForm.discount.value))*100)/100;
}
</script>
</head>
<body>
<form name="test">
A1ien51's UFO Posters (Price: $19.99)
<table border="0">
<tr>
<td>Amount:</td>
<td><input type="text" name="amount" value="1" onchange="calcTotal()"></td>
</tr>
<tr>
<td>Discount:</td>
<td><input type="text" name="discount" value="2.00" onchange="calcTotal" readonly="readonly"></td>
</tr>
<tr>
<td>Toal:</td>
<td><input type="text" name="total" value="17.99" onchange="calcTotal"></td>
</tr>
</table>
</form>
</body>
</html>
And here is the hack to get free posters by posting the following line of code into the address bar of the browser.
javascript:document.test.discount.value=19.99;calcTotal();alert('It is free');
Now how do I know how to do this? Well it is simple all you need to do is look at the source code of the page. You look for the form names and element names and you can change the values.
Now anyone can make buttons that are disabled, enabled with one line of code, you can make hidden items on the page visible, you can figure out the values in hidden fields that are set when the page loads, you can view the generated code of the body.
By using these techniques you can learn how people can mess with your data on your web page and it shows why you should not rely on JavaScript to do anything major. If your business depends on adding form elements together, do it on the server side. Keep all of your information on the server side. Only use the amount totals!
Is there ways to make it harder to do things like this? Yes and No since a person that knows JavaScript will be able to get around it. The thing to remember is they can not get around your server side code if it is properly coded!
Eric Pascarello HTML/JavaScript moderator at JavaRanch.com
javascript:variable="test";void(0);
Eric