DO NOT implement web security with your UI – level 100

I mark this post as 100 because this basic knowledge that every developer should know.  I’m maintaining a semi-legacy ASP web application, and so many page implement security through the UI.  For instance if a user isn’t allow to update data, then a “disabled” attribute is added to the <input type=”submit”>.  That’s it!  That’s all they do to protect their data.  So, how do you get around this?  You change the html and repost, or you run some script to remove the disabled attribute, or just create your own HTTP request.  The page that actually does the update does NO validation, NO checks.  It just assumes that the request is coming from the previous page unchanged, and it blindly updates data.

There is no easy fix for a site that is developed like this.  You really have to recode all the areas that modify data.  Some people might suggest checking the HTTP_REFERER Server Variables, but I whipped up a sample to show how easy it is to spoof that variable, and it’s not even a required variable in the HTML specification, so that’s out the window as a “real” solution.  The only solution is to code it correctly.  Check credentials before allowing the update.

I wonder how many applications out there have this security hole.

It’s common knowledge that .Text has this “feature”.   The comments feature is UI only.  If it’s not on, then the UI won’t be displayed, but if you just post a comment, the web interface will accept it but not display it.  But that comment will be downloaded with the RSS feed.  I’ve already informed Scott W. about this, so he knows I’m not knocking him.

I think this is very common of web applications, and we need to do a better job of writing secure code.