I was working an insurance project, there was one requirement like if admin will log in then one Submit button was there that will enable, if any other user will log in it will be disabled. One of my teammate did that one, after that I got one security issue in the code , if a user will enable the button from client side and fire what will happen, I will show you one demo on it and how to fix that.
Step - 1
Create two pages like this
remove the disabled property of all the controls then click on button it will fire
Solution
How to fix this one
1. Hide the controls
2. Check role in the click event.
If any other options is there please comment it.
Step - 1
Create two pages like this
in the page 1 if the user don't enter "admin" in the username field, then in the page 2 all the controls will be disabled, I have logged in as "rohit", so for me all the controls disabled. Now I will enable these controls from client side.
Step - 2
Enable that control from client side please follow the following steps
Solution
How to fix this one
1. Hide the controls
2. Check role in the click event.
If any other options is there please comment it.
No comments:
Post a Comment