irigsoft Posted February 18 Share Posted February 18 Hi. How to disable changing uniEdit.Text from Client Side? Scenario: https://stackoverflow.com/questions/58080896/how-to-protect-my-form-input-field-data-from-a-user-to-changes-in-the-console 1. I have form that use uniEdit to keep some information, like userName 2.This uniEdit is owned by TuniHiddenPanel and that panel.Visible = False and uniEdit.Visible = False 3. when i Click some button , then I get uniEdit.Text and use it to save data to Database. My problem: uniEdit is visible with Google.Console and uniEdit.Text can be changed with console, is it possible to block or disable this? can we have 'Form tampering prevention' like SecurityComponent in cakePhp to prevent the following things: - Unknown fields cannot be added to the form. - Fields cannot be removed from the form. - Values in hidden inputs cannot be modified. It's very usefull stuffs. Quote Link to comment Share on other sites More sharing options...
Oliver Morsch Posted February 18 Share Posted February 18 You cannot trust data that comes from the client. Why do you want to save user name client side? That should be done server side saved in UniMainModule after login, then user cannot access and manipulate... Quote Link to comment Share on other sites More sharing options...
irigsoft Posted February 18 Author Share Posted February 18 41 minutes ago, Oliver Morsch said: You cannot trust data that comes from the client. Why do you want to save user name client side? That should be done server side saved in UniMainModule after login, then user cannot access and manipulate... i give username just like example, at this input field can be save different data on client side, i just want to know how to protect them Quote Link to comment Share on other sites More sharing options...
Oliver Morsch Posted February 18 Share Posted February 18 How? -> save server side! Quote Link to comment Share on other sites More sharing options...
irigsoft Posted February 18 Author Share Posted February 18 24 minutes ago, Oliver Morsch said: How? -> save server side! Ok, but in some cases this is not possible, like this: 1. A client writes some text in uniEdit and clicks a button that will hide uniEdit and move to the next component. 2. A would-be attacker can extract the value from uniEdit and change it, even though the field is not visible! - I want to hide this uniEdit and disable changing its value until I send it to the server. Sometimes I run a form with text values filled in hidden uniEdit and this is a problem because an attacker can extract all the hidden components and change the value before the client uses it or sends it back to the server. maybe my question is not very clear but I am asking how safe is it to hide some components in the hidden panel and how safe is it from google devtools or others. Quote Link to comment Share on other sites More sharing options...
Oliver Morsch Posted February 18 Share Posted February 18 As already mentioned in your stack overflow link, you should use the the backend. In your case "1" do you hide the edit server side (Delphi code)? Then you can there also save it server side! Maybe you can also encrypt the value or build a hash code you check later on server side. I think there is no other solution... Quote Link to comment Share on other sites More sharing options...
irigsoft Posted February 18 Author Share Posted February 18 21 minutes ago, Oliver Morsch said: I think there is no other solution... So what is purpose of uniHiddenPanel ? Why i should use it and where ? Quote Link to comment Share on other sites More sharing options...
andyhill Posted February 18 Share Posted February 18 In the past I used HiddenPanel for a staging area where I placed certain UniGUI IDE Visual Components that are hidden from Forms/Panels in general. eg. UniGrid uses a Custom Editor for a given field that is encapsulated into the grid. These days I make everything at runtime. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted February 18 Author Share Posted February 18 29 minutes ago, andyhill said: These days I make everything at runtime. hello I have created my own designer and every project implemented with unigui is empty and created at runtime. With this implementation method, it is possible that some components are visible and others are not. Each component can have procedures (such as OnClick, OnChange, and others), and these procedures can be executed even when the component is not visible. I can't create the invisible components at runtime because some other (visible) component can write or read a caption or text value, or even perform a button click. But this could lead to a security hole and I'm looking for a way to stop this. Quote Link to comment Share on other sites More sharing options...
andyhill Posted February 18 Share Posted February 18 In reality, my understanding is that anything the browser displays (obfuscated code underneath or not) it is ultimately accessible. Let me know what you come up with. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted February 19 Author Share Posted February 19 10 hours ago, andyhill said: In reality, my understanding is that anything the browser displays (obfuscated code underneath or not) it is ultimately accessible. Yes, I think so too. But here is an example that in cakePHP it is possible: https://stackoverflow.com/questions/58080896/how-to-protect-my-form-input-field-data-from-a-user-to-changes-in-the-console "can we have 'Form tampering prevention' like SecurityComponent in cakePhp to prevent the following things: - Unknown fields cannot be added to the form. - Fields cannot be removed from the form. - Values in hidden inputs cannot be modified. It's very usefull stuffs." I try to find a way to protect from: "Form Parameter Tampering Form parameter tampering occurs when attackers modify the data submitted in a web form. This can be done by altering hidden fields, drop-down menus, or any other form elements. The goal is to submit information that the application was not expecting, such as a negative number for a product quantity to test how the server handles unexpected input. Such tampering can lead to a range of outcomes, from minor disruptions to significant security breaches, depending on the nature of the form and the data it handles." Quote Link to comment Share on other sites More sharing options...
Sherzod Posted February 19 Share Posted February 19 Hello, Well, when let's say UniEdit is set to ReadOnly on the server side, any changes made on the client side will not be taken into account on the server side. 1 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted February 19 Author Share Posted February 19 1 hour ago, Sherzod said: Hello, Well, when let's say UniEdit is set to ReadOnly on the server side, any changes made on the client side will not be taken into account on the server side. Thanks, so if I want to block any client side manipulation of any component (label, button, BitBtn, panel, groupbox, edit) then I just have to make it read-only (if it exists) right? If I made uniEdit.Visible = True and at runtime on Server Side I make it Visible = False and ReadOnly=True, then this will block editing on ClientSide, right ? Let me ask then how about buttons and blocking onClick events, is it possible? Quote Link to comment Share on other sites More sharing options...
Sherzod Posted February 19 Share Posted February 19 This was before the first version: 0.99.96 - Hacking Preventation: Avoid processing events from controls that are disabled or hidden. 1.00.00 - Client side JS hacking is possible when control's parent is disabled or invisible. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted February 19 Author Share Posted February 19 1 hour ago, Sherzod said: This was before the first version: 0.99.96 - Hacking Preventation: Avoid processing events from controls that are disabled or hidden. 1.00.00 - Client side JS hacking is possible when control's parent is disabled or invisible. OK, what is purpose of uniHiddenPanel ? Quote Link to comment Share on other sites More sharing options...
Sherzod Posted February 19 Share Posted February 19 6 minutes ago, irigsoft said: what is purpose of uniHiddenPanel ? A hidden panel is a uniGUI container which will not be shown. Its goal is to contain other components which will be used by other components (like the column editors for a grid). https://www.unigui.com/doc/online_help/api/uniPanel_TUniHiddenPanel.html 1 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted February 19 Author Share Posted February 19 2 hours ago, irigsoft said: Client side JS hacking is possible when control's parent is disabled or invisible. So, is there solution if parent is Visible (not disabled and is Visible) ? like SecurityComponent in cakePhp: https://book.cakephp.org/3/en/controllers/components/security.html Quote Link to comment Share on other sites More sharing options...
irigsoft Posted February 19 Author Share Posted February 19 @Sherzod. Based on what we're talking about here, I'm trying to change with Google Console the Captions of some panels of my projects, all these panels are visible This is quite possible now, how can I block it? How to block Caption, Text properties of components like Edit, Label, Panel, GroupBox from changing on client side? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.