Prevent malicious user from executing JavaScript

Question

In my JSP I have a function like fnGetTicketDetails:

function fnGetTicketDetails(record){
    $("#TicketNumber").val(record);
    $("#TicketDetailsForm").submit();
    return false;
}

I have form like this:

<form name="TicketDetailsForm" id="TicketDetailsForm" method="post" action='${properties["SUBMIT_TICKET_DETAIL"]}'
    target="_blank" style="display: none;">

I have an input hidden parameter

<input type="hidden" name="record" id="TicketNumber" /> 

It is working fine in the server. Issue was: If I use

javascript:eval("fnGetTicketDetails(83769551); eval();");

in the browser then also I am getting the details, which is invalid. How to block these type of request from browser. Because a hacker can easily get the details if he knows the ticket number.

Answer 1

You can't prevent the user from doing this.

You must treat all input from the user including all requests sent by your JavaScript as untrusted.

That means that the server must verify that the request from the user is legitimate (i.e. it must check if the current user has permission to read the specified detail).

Relying on hidden fields and JavaScript to keep your data secure is a very easy way of getting your data stolen.