So I am curious if I missed a step when it comes to securing a form. Currently I have a form that customers use to request a new virtual server build in either the VMWare or Azure environments. Once submitted, the information gathered is used to populate a SQLite db, and the server build automation (separate process) picks up from there.
One of the security engineers has access to the form, and being the Nosey Nancy he is, decided to see if he could break it. The form itself is secured via an A.D. group. I use the default $User variable to populate the first field on the form, like so:
New-UDTextbox -Id "Requester" -Placeholder "Requester" -Value $User -Disabled
The user found that he could hit F12 while on the form, go in and simply erase the Disabled property, after which he could put in any name he wants. I was able to reproduce it, as well as confirming that the garbage was sent to the database:
Just wondering if this is simply a client-side flaw in this company’s browser settings, or if this is a security setting I should have addressed when building the form itself.
Product: PowerShell Universal Version: 1.5.9