Jump to content

How to hide uniEdit from Google developer tools (Google console)

irigsoft

By irigsoft
in General

 Share

Recommended Posts

irigsoft Advanced Member

irigsoft

Posted
Posted

Hi.

How to disable changing uniEdit.Text from Client Side?

Scenario: https://stackoverflow.com/questions/58080896/how-to-protect-my-form-input-field-data-from-a-user-to-changes-in-the-console

1. I have form that use uniEdit to keep some information, like userName

2.This uniEdit is owned by TuniHiddenPanel and that panel.Visible = False and uniEdit.Visible = False

3. when i Click some button , then I get uniEdit.Text and use it to save data to Database.

 

My problem:

uniEdit is visible with Google.Console and uniEdit.Text can be changed with console, is it possible to block or disable this?

 

 

can we  have 'Form tampering prevention' like SecurityComponent in cakePhp to prevent the following things:

 - Unknown fields cannot be added to the form.
 - Fields cannot be removed from the form.
 - Values in hidden inputs cannot be modified. It's very usefull stuffs.

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
  • Author
Posted
41 minutes ago, Oliver Morsch said:

You cannot trust data that comes from the client.

Why do you want to save user name client side?

That should be done server side saved in UniMainModule after login, then user cannot access and manipulate...

 

i give username just like example, at this input field can be save different data on client side, i just want to know how to protect them 

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
  • Author
Posted
24 minutes ago, Oliver Morsch said:

How? -> save server side!

Ok, but in some cases this is not possible, like this:

1. A client writes some text in uniEdit and clicks a button that will hide uniEdit and move to the next component.

2. A would-be attacker can extract the value from uniEdit and change it, even though the field is not visible!

- I want to hide this uniEdit and disable changing its value until I send it to the server.

Sometimes I run a form with text values filled in hidden uniEdit and this is a problem because an attacker can extract all the hidden components and change the value before the client uses it or sends it back to the server.

maybe my question is not very clear but I am asking how safe is it to hide some components in the hidden panel and how safe is it from google devtools or others.

Link to comment
Share on other sites
Oliver Morsch Advanced Member

Oliver Morsch

Posted
Posted

As already mentioned in your stack overflow link, you should use the the backend.

In your case "1" do you hide the edit server side (Delphi code)? Then you can there also save it server side!

Maybe you can also encrypt the value or build a hash code you check later on server side.

I think there is no other solution...

Link to comment
Share on other sites
andyhill Advanced Member

andyhill

Posted
Posted

In the past I used HiddenPanel for a staging area where I placed certain UniGUI IDE Visual Components that are hidden from Forms/Panels in general.

eg. UniGrid uses a Custom Editor for a given field that is encapsulated into the grid.

These days I make everything at runtime.

 

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
  • Author
Posted
29 minutes ago, andyhill said:

These days I make everything at runtime.

hello

I have created my own designer and every project implemented with unigui is empty and created at runtime.

With this implementation method, it is possible that some components are visible and others are not.

Each component can have procedures (such as OnClick, OnChange, and others), and these procedures can be executed even when the component is not visible. I can't create the invisible components at runtime because some other (visible) component can write or read a caption or text value, or even perform a button click.

But this could lead to a security hole and I'm looking for a way to stop this.

 

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
  • Author
Posted
10 hours ago, andyhill said:

In reality, my understanding is that anything the browser displays (obfuscated code underneath or not) it is ultimately accessible.

Yes, I think so too.

But here is an example that in cakePHP it is possible: https://stackoverflow.com/questions/58080896/how-to-protect-my-form-input-field-data-from-a-user-to-changes-in-the-console

"can we  have 'Form tampering prevention' like SecurityComponent in cakePhp to prevent the following things:

 - Unknown fields cannot be added to the form.
 - Fields cannot be removed from the form.
 - Values in hidden inputs cannot be modified. It's very usefull stuffs."

I try to find a way to protect from:

"Form Parameter Tampering
Form parameter tampering occurs when attackers modify the data submitted in a web form. This can be done by altering hidden fields, drop-down menus, or any other form elements. The goal is to submit information that the application was not expecting, such as a negative number for a product quantity to test how the server handles unexpected input.

Such tampering can lead to a range of outcomes, from minor disruptions to significant security breaches, depending on the nature of the form and the data it handles."

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
  • Author
Posted
1 hour ago, Sherzod said:

Hello,

Well, when let's say UniEdit is set to ReadOnly on the server side, any changes made on the client side will not be taken into account on the server side.

Thanks,

so if I want to block any client side manipulation of any component (label, button, BitBtn, panel, groupbox, edit) then I just have to make it read-only (if it exists) right?

If I made uniEdit.Visible = True and at runtime on Server Side I make it Visible = False and ReadOnly=True, then this will block editing on ClientSide, right ?

 

Let me ask then how about buttons and blocking onClick events, is it possible?

Link to comment
Share on other sites
Sherzod Advanced Member

Sherzod

Posted
Posted

This was before the first version:

0.99.96 - Hacking Preventation: Avoid processing events from controls that are disabled or hidden.

1.00.00 - Client side JS hacking is possible when control's parent is disabled or invisible.

 

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
  • Author
Posted
1 hour ago, Sherzod said:

This was before the first version:

0.99.96 - Hacking Preventation: Avoid processing events from controls that are disabled or hidden.

1.00.00 - Client side JS hacking is possible when control's parent is disabled or invisible.

 

OK, what is purpose of uniHiddenPanel ?

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
  • Author
Posted

@Sherzod.

Based on what we're talking about here, I'm trying to change with Google Console the Captions of some panels of my projects, all these panels are visible

This is quite possible now, how can I block it?

How to block Caption, Text properties of components like Edit, Label, Panel, GroupBox from changing on client side?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...