防止恶意用户执行JavaScript

Question

In my JSP I have a function like fnGetTicketDetails :

function fnGetTicketDetails(record){
    $("#TicketNumber").val(record);
    $("#TicketDetailsForm").submit();
    return false;
}

I have form like this:

<form name="TicketDetailsForm" id="TicketDetailsForm" method="post" action='${properties["SUBMIT_TICKET_DETAIL"]}'
    target="_blank" style="display: none;">

I have an input hidden parameter

<input type="hidden" name="record" id="TicketNumber" /> 

It is working fine in the server. Issue was: If I use

javascript:eval("fnGetTicketDetails(83769551); eval();");

in the browser then also I am getting the details, which is invalid. How to block these type of request from browser. Because a hacker can easily get the details if he knows the ticket number.

Answer 1

You can't prevent the user from doing this.

You must treat all input from the user including all requests sent by your JavaScript as untrusted.

That means that the server must verify that the request from the user is legitimate (ie it must check if the current user has permission to read the specified detail).

Relying on hidden fields and JavaScript to keep your data secure is a very easy way of getting your data stolen.

Answer 2

You can't. Any data stored on the client is going to be visible to the end user.

The issue here is that your server is willing to show the details to anyone who asks for them. Don't even try to stop the user asking. Just do a check server side to make sure that that user is allowed to view those ticket details. If they're not, don't deliver them!