0

Hi all,

I am creating an ecommerce site, and have some javascript getting data from dom elements and inserting them into my PHP Cart via AJAX.

It all works fine, but then i came to think of possible security issues with my approach.

Button inserting data into the cart with js, looks pretty much like this.

<p data-prodid="30" data-price="700">Add product To Cart</p>

I validate that the product exists serverside, so its not possible to add products that doesnt exists (by ID).

But I opened Chrome dev tools (F12) - And simply changed data-prodid="30", to data-prodid="1". That change were passed through to my PHP script (where i do all nessecary validation), but I was able to change to product to be added to the cart, simply by changing a DOM attributte.

I get the price for the product serverside, by looking up on the prodID. So the price cant be changed..

Is it really that easy to manipulate a live site, just by changing whatever attributtes used?

Im still on localhost, developing - But came to think of this approach and use of data-attributtes in this fashion was a good idea at all.

Can anyone share some thoughts on this approach? (Using HTML5 data attributtes for cart functionality).

If my setup was different, say i didnt get the price from the prodID passed, but also directly from the html5 data-attributte - Would that allow hackers to change cart totals in such an easy way?

Is there any way, I can detect of these attributtes has been manipulated or entirely prevent this?

The best, Klemme

Edited by klemme

2
Contributors
1
Reply
16
Views
2 Years
Discussion Span
Last Post by pritaeas
0

Is it really that easy to manipulate a live site, just by changing whatever attributtes used?

Basically. If you don't think ahead, you might forget this can happen. I've seen such things in production code.

Can anyone share some thoughts on this approach?

If you just use the ID, then changing it doesn't really matter. Assuming you check server side if it's still in stock etc. If you use details that will be used on the order, please don't.

If my setup was different, say i didnt get the price from the prodID passed, but also directly from the html5 data-attributte - Would that allow hackers to change cart totals in such an easy way?

Yes. Some basic Javascript knowledge suffices for this. Any kid can do this.

Is there any way, I can detect of these attributtes has been manipulated or entirely prevent this?

Store a hash/token alongside that can be used to verify manual change.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.