Javascript securty: AJAX call to record user's screen resolution, can fake numbers be prevented?
This is a javascript security issue: suppose the page detects a computer screen resolution like 1024 x 768 and wants to use an AJAX call to register that data to the DB.
Is there a way to prevent fake data from entering the database? I think that no matter what HTML or Javascript is doing, the user can redesign the code so that some fake numbers are injected into the DB or is there a way to prevent it entirely? (100% safe).
Update : or a similar situation ... if I write a simple javascript game ... is there a way for the user to send back an AJAX invoice and lie about their invoice?
a source to share
If you start with the assumption that the user you are communicating with is malicious, then no; there is nothing you can do to control what data they transmit to you. Certainly not with 100% certainty - at worst, they can use web tools to rewrite or replace any "correct" content with whatever they want.
If you just want to prevent accidental malicious intent, you can obfuscate or encrypt your code and / or data. This will not stop a specific attacker.
If you really trust a real user, but suspect that others might try to impersonate them, you can use other methods like dynamic canary: send the user a random number, and if they return the same number to you, you know it really came from them ... (Or you are attacked by a man-in-the-middle attack, but hey, what is SSL for).
a source to share
There is no way to prevent users from sending any numbers they like back from JavaScript.
I think the best you could do is do some server side validation to make sure the numbers sent back look like a realistic resolution.
I'm not sure why anyone would take the time to fool these numbers in the first place.
a source to share
For a permit, it would in principle be impossible to determine if the permit is valid. My resolution is usually sent to the server as 5120 x 1600, which seems rather unrealistic, but that's because 2 screens are often sent as 1. Otherwise, there is a huge amount of possibilities in screen resolutions and screen configurations, d will probably delete a lot of valid ones. although there may be few of them.
To evaluate the game, you can perform additional checks that make it difficult to check. Things like sending multiple point notifications throughout the game and requiring an X number to ensure that the result is valid. (IE, should get one between 200-300, 400-500, 700-800 and then the final score is 1000.) With the final score, you can also have some kind of encrypted value that can only be used once or contains some data with CRC on it. Basically, in the end, you want to get other data than just the score, especially for higher scores.
a source to share
To try and answer by elaborating on the comments made by Doc and yourself, there is a clear distinction between manipulating an application to "cheat" it from something, whether it's an online business to get something cheaper or MMPORG for more experience. than manipulating it in such a way that it does not display the interface correctly and reduces the overall user experience for that particular user (hacker?).
Your time would be better spent on other aspects of your site. I do not recommend that users of my site manipulate the HTML to make it look funny on their machines, but I am not going to go out of my way and obfuscate my server's output so that they are not harmed. In your case, validating a range with predefined safe values using a DB to ensure user view with "allowed" permission puts an unnecessary burden on your application and takes time.
a source to share