0

So I was testing my application for some vulerabilities and found one that I missed:

<input class="hidden" type="hidden" name="event_id" value="{{$event->id)}}">

this puts the ID of the current event during the checkout into the database. Of course this would allow a malicious user to change its value and change the booked course. I found some postings on SO that said to encrypt and decrypt the values of the hidden input to prevent abuse: https://stackoverflow.com/a/29516318


So I did that: 
<input class="hidden" type="hidden" name="event_id" value="{{Crypt::encryptString($event->id)}}">

and in my Laravel controller I do:

//  Store data in database
$checkout = new Checkout();
$checkout->event_id = Crypt::decryptString($request->event_id);
$checkout->quantity = array_sum($request->ticket);
$checkout->firstname = $request->firstname;
$checkout->lastname = $request->lastname;
$checkout->email = $request->email;
$checkout->phone = $request->phone;
$checkout->save();

I tested the "vulnerability" and it threw a Invalid MAC error. So my question would be, this is enough?

1 Answers1

1

This is not a good approach. A malicious user can observe what values are used in what cases and can extract an encrypted value in one case and then use it in another case.

You should expect that user can do any changes on the client code. It makes no sense to implement any protection for the client side. Any validations should only help normal user to get a better user experience. But you should never rely on the data sent by the client.

You should always validate any data received from the client. For instance, Is this event allowed for this user based on current data in database? or Is this user allowed to call this end point with these data? And of cause other validations, e.g. to prevent XSS.

Then not only will your application be safer. This will also essentially simplify the design of the client side, you will need less efforts to implement further functionality and to support your client part.

mentallurg
  • 8,536
  • 4
  • 26
  • 41