Can a form with a disabled <input type=“submit”> be hacked to submit anyway?
Question
I'm just curious about the security of the <input type="submit" /> tag.
If I have a form (with method="post" ) with just one "Submit" button, which is disabled, and I haven't written any JS/AJAX/jQuery that affects the form, the button, or its other contents, could someone still find a way to submit the form?
Here's the code for a form along the lines I'm talking about:
<form method="post" action="processor.php" enctype="multipart/form-data">
<input type="text" name="foo" value="bar" />
<input type="submit" value="Submit" disabled="disabled" />
</form>
Thanks much!
7 answers
solution1
9 ACCPTED 2013-12-03 18:11:08
Yes, I don't even need your form to submit it. I can use cURL or a similar library to just send a POST request as if it came from a form.
Always validate everything server-side, you don't always get what you expect.
solution2
2 2013-12-03 18:14:58
Anyone skilled enough with the 'Element Inspector' of most modern browsers can add/edit/remove any attribute and their values.
Using this method I can remove the disabled attribute and then just click the submit button
That and you can run javascript through the console or the address bar/bookmark like this
javascript:document.getElementsByTagName("form")[0].submit();void(0);
Forms can also be submitted using server-side libraries like cURL
solution3
1 2013-12-03 18:09:51
Anything on the client can be hacked. Don't trust the client. Always validate on the server.
For example, Tampermonkey .
solution4
1 2013-12-03 18:10:58
Sure. Typing this in the console (or in a bookmarklet) will do it, with all modern browsers including IE8 and above:
document.querySelector("form[action=processor.php]").submit();
On older browsers, if it's the first form:
document.getElementsByTagName("form")[0].submit();
If it's harder to find (not the first form), then on older browsers it might take a couple more lines of code, but that's all.
solution5
1 2013-12-03 18:12:20
Yes, they absolutely could. As a general rule, don't rely on anything client-side for security. A malicious user can and will manipulate any client-side code. You need to make sure everything is secure on the back-end, regardless of what requests your front-end code makes.
solution6
0 2013-12-03 18:12:53
I agree it can be submitted and one way to do it is by URL: http://website.com/processors.php(POST everything)
So if you don't want it submitted maybe use a Servlet check or other security measure
solution7
0 2013-12-03 18:13:45
Other answers state that you can submit the form directly without using your form, which is also true. I just wanted to point out that, in addition, the user could un-disable your button and then click it, as well (using Firebug or equivalent). Any html or other text you send to the client, they can modify however they like.
Disabling buttons client-side is great for increasing usability (disabling during ajax updates, or if there are required fields missing values, for instance), but it shouldn't be part of your toolkit for anything security-related.
solution8
0 2014-06-22 21:46:06
Yes, they can simply alter the HTML and enable the form by changing $disabled="disabled"$ to $disabled="false"$. Set your server not to accept invalid input.
solution9
-1 2013-12-03 18:12:48
Of course is possible to hack you "silly" form. Therefore for sure it will be better if you will make all neccessary validations on the server side.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.