Question around form validation

So I am curious if I missed a step when it comes to securing a form. Currently I have a form that customers use to request a new virtual server build in either the VMWare or Azure environments. Once submitted, the information gathered is used to populate a SQLite db, and the server build automation (separate process) picks up from there.

One of the security engineers has access to the form, and being the Nosey Nancy he is, decided to see if he could break it. The form itself is secured via an A.D. group. I use the default $User variable to populate the first field on the form, like so:

New-UDTextbox -Id "Requester" -Placeholder "Requester" -Value $User -Disabled 

The user found that he could hit F12 while on the form, go in and simply erase the Disabled property, after which he could put in any name he wants. I was able to reproduce it, as well as confirming that the garbage was sent to the database:

Just wondering if this is simply a client-side flaw in this company’s browser settings, or if this is a security setting I should have addressed when building the form itself.

Product: PowerShell Universal
Version: 1.5.9

Bumping, just curious if anyone has seen the same behavior or if it is environment-specific?

This is going to be a problem with any website. You just need to make sure you validate on the back end that it’s the data you are expecting.

For example, if you are processing that form and only using the requestor text field for display purposes, you can use the $User variable in the OnSubmit to avoid the user tampering with something that shouldn’t change.

Thanks, I thought as much, just wanted to confim so I have something to return to our Security Engineer.

1 Like