Prevention of unauthorized manipulation of hidden fields
import express from 'express';
const app = express();
app.use(express.urlencoded({ extended: true }));
app.get('/profile', (req, res) => {
res.send(`
`);
});
app.post('/update-profile', (req, res) => {
const { username, password, isAdmin } = req.body;
if (isAdmin === 'true') {
// Perform privileged action
res.send('Profile updated as admin!');
} else {
// Perform regular action
res.send('Profile updated!');
}
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The vulnerability in this code is hidden fields manipulation.
In the
/profile route, a form is rendered with three input fields:
username,
password, and
isAdmin. The
isAdmin field is hidden from the regular user, meaning it is not visible on the form.
When the form is submitted to the
/update-profile route, the server retrieves the values of
username,
password, and
isAdmin from the request body.
The vulnerability lies in the fact that an attacker can manipulate the hidden
isAdmin field by modifying its value in the request. Since the server blindly trusts the value of
isAdmin received from the request, an attacker can set
isAdmin to
'true' and force the server to perform privileged actions that should only be allowed for administrators.
This can lead to unauthorized access, data manipulation, or other undesired behaviors in the application.
To fix this vulnerability, the server should not rely on client-provided values for sensitive or privileged actions. Instead, the server should validate and control such values on the server-side to ensure the integrity and security of the application.
import express from 'express';
const app = express();
app.use(express.urlencoded({ extended: true }));
app.get('/profile', (req, res) => {
res.send(`
`);
});
app.post('/update-profile', (req, res) => {
const { username, password } = req.body;
const isAdmin = false; // Set isAdmin to false by default
if (req.user.isAdmin === true) {
isAdmin = true; // Validate the isAdmin field on the server-side
}
if (isAdmin) {
// Perform privileged action
res.send('Profile updated as admin!');
} else {
// Perform regular action
res.send('Profile updated!');
}
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The fixed code addresses the vulnerability by implementing server-side validation and only sending the fields that require user input in the requests.
1. The code uses the Express framework to create a server.
2. The
express.urlencoded() middleware is used to parse the request body and make it accessible in the
req.body object.
3. The
/profile route handles the GET request and renders a form with two input fields:
username and
password.
4. The form's
action attribute is set to
/update-profile and the
method attribute is set to POST.
5. The
/update-profile route handles the POST request and retrieves the
username and
password values from the
req.body object.
6. The code introduces a variable
isAdmin and sets it to
false by default.
7. It then checks if
req.user.isAdmin is
true to validate the
isAdmin field on the server-side. This ensures that only authorized users can set
isAdmin to
true.
8. If
isAdmin is
true, it performs a privileged action and sends a response indicating that the profile has been updated as an admin.
9. If
isAdmin is
false, it performs a regular action and sends a response indicating that the profile has been updated.
10. The server listens on port 3000 for incoming requests.
By validating the
isAdmin field on the server-side and only sending the necessary fields in the request, the code mitigates the risk of hidden field manipulation vulnerability.