Can an attacker use inspect element harmfully?

Casey Neistat picture Casey Neistat · May 4, 2017 · Viewed 10.9k times · Source

I know this is a broad question, but I think I'm missing something here. Is it possible for an attacker to cause damage to a site by simple using inspect element and editing the javascript and html? For example, it seems too easy for someone to change the maxlength of an input, and upload so much data that it could crash the server, I know that it is always good practice to check data at the server but it still seems too easy. Or another more potentially dangerous example is if the attacker can mess with an $.ajax call and send bad info to the server. Is it something I should be worrying more about or are the changes just temporary, on the attackers browser?

Answer

Trevor Freeman picture Trevor Freeman · May 4, 2017

The changes are temporary on the individual user's browser.

However, the changes will allow that user to interact with your backend however they choose to do so. This is one way in which sites are attacked.

The standard rule is to never trust input coming from the user / browser. Do not trust the value of hidden fields, do not trust that they have not changed the length, do not trust that they have not added new values (e.g. to a drop down), do not trust any validation that has been done in Javascript, etc.

Some examples:

  • Some shopping sites in the past would include the amount to be paid as a hidden field in the form. Changing this value changed the amount charged to a credit card while still approving the transaction.
  • Sites with Javascript validation rules that could be skipped by posting directly to the backend service opening themselves up to SQL and HTML / Script injection attacks.
  • Drop downs, radio button, and checkbox inputs where unexpected values can be added to the form.