November 26th, 2001, 11:18 PM
I was surprised to discover recently to what extent Explorer leaves your entire webpage vulnerable to data capture and manipulation. I found I could not only access external site variables and form fields from a page located on my desktop, I could write new data to them too! This includes hidden fields which you would think should not be touchable.
Is there anything that can be done to prevent this? Signed scripts? Anything. I have a game that will otherwise need to be converted to Flash, and would like to avoid the extra work if possible.
November 27th, 2001, 04:29 AM
What exactly do you mean by manipulation? Do you mean simply saving a page locally, changing the code and using absolute paths to interact with a remote site?
This isn't anything new, for example, find a form for uploading data that has a hidden field called something like 'max size' and you know you'll be able to alter that and upload files larger than are wanted.
November 27th, 2001, 11:30 PM
I can think of numerous interesting and advantageous uses of a hidden form field that the Explorer security stance makes impossible, including a client-side instant win game which I must now convert to Flash to prevent tampering.
I can understand why scripting form fields would be desirable, but hidden fields? Hidden should mean that the author doesn't want you messing with them, under any conditions.
November 27th, 2001, 11:35 PM
Oh. Your example is an excellent one:
"This isn't anything new, for example, find a form for uploading data that has a hidden field called something like 'max size' and you know you'll be able to alter that and upload files <b>larger than are wanted</b>."
This boggles my mind. MS doesn't view that as a security issue?
November 28th, 2001, 03:08 AM
One of the scariest things is the MSHTML vulnerabilities, try:
to see what I mean. Serious stuff. Check out:
for all the scares, and one thing to realise is that these are the ones that MS thinks are 'critical' so how many aren't?