Is it possible for someone to manipulate the data being transmitted to the server if they have access to the data stored in a

I have some concerns regarding the security of my data. Let's consider a scenario where I have information stored in a div like this:

<div id="Q9vX" class="mainContent" data-compname="comp1" data-user="57f70c8e78ae49d41c78876a" data-shortid="Hy85nKVR">

Now, if I were to make a post request that sends the compname and user ID, is it possible for someone to tamper with the value of the data-user attribute before it gets sent? Considering that I am performing database operations based on the ID within the div, there is a risk of someone altering the ID and causing the operation to be performed for an unintended user. I am using MongoDB, Heroku, and Express for my project. Although I am hesitant about using sessions due to their expiration nature, what would be the best practice in such a situation?

For instance, imagine that this particular div pertains to a review submitted by a user with the ID 57f70c8e78ae49d41c78876a. If everything proceeds as expected and the user submits the review, it should be associated with that specific user ID. However, if someone were to manipulate the ID through tools like Firebug, could the review end up being registered under a different ID?

javascriptmongodbsecurityexpressheroku

Answer №1

To modify the value, a user could utilize developer tools or potentially conduct a cross-site scripting attack, where harmful code is injected into the page. There are various methods for executing this, such as inserting code onto your server's file system, injecting it into your database (especially if using a CMS), or even via a browser extension.

Without proper server-side access controls, someone could deploy a script that jeopardizes the availability or integrity of your data. Availability may be compromised through a denial of service attack inundating the server with fake requests to surpass concurrent database connections, inhibiting legitimate users from accessing the site. Data integrity can be at risk by flooding the database with fraudulent requests that are challenging and time-consuming to identify and remove. Additionally, if reviews function like a comment box allowing user input displayed on the site, it could serve as an avenue for injecting malicious cross-site scripting code.

If security is a concern, it's advisable to implement access control measures like sessions, sanitize all incoming and outgoing data from the database, and ensure secure HTTPS connection on your web server.

The Express JS website offers insightful guidance on security best practices.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Verify if the values are consistent in MongoDB

I am struggling to use the MongoDB $and operator with $regex to check if a nickname and password are true. I have tried the following code but it is not working properly: checkNickname: function(nickname, password){ var reNick = new RegExp(nickname, ...

regexmongodbmongodb-query

Upon attempting to run `yarn dev` with Webpack 5, I encountered the following error message: "Library name must be a string or

Seeking assistance from my fellow developers. Has anyone encountered this particular issue before? Error output displayed in text: yarn run v1.17.3 $ webpack-dev-server webpack --config ./webpack.dev.config.js --mode development i 「wds」: Project is ...

javascript

Enhancing HTML "range" element with mouse scroll functionality for incrementing values in step increments

I'm working on developing a scroll feature that operates independently from the main window's scrolling function. I aim to trigger specific events in the primary window based on interactions with this separate scrollbar. The only solution I coul ...

javascriptjqueryhtmlcssd3.js

The two divs are positioned on top of one another, with the link in the bottom div being unclickable

I am trying to create a unique effect where a tile divides into two on hover, with each tile acting as an individual link. Additionally, I want the background color of the tiles to change on hover. To achieve this, I have stacked two divs (toptile and bot ...

javascriptjqueryhtmlcss

Store the output of JavaScript in a PHP variable

My objective is to convert any image to base 64 and then store the converted string in a PHP variable before inserting it into my database. JavaScript Code: function uploadFile() { if (this.files && this.files[0]) { var FR= new FileReader ...

javascriptphphtmlajax

Express - Dividing the route handling logic into separate controllers

There is a trend of separating Express router logic into controller files, as seen in projects like meanJS For example: var express = require('express'), router = express.Router(), catalogues = require('../controllers/catalogues') ...

node.jsexpress

Mastering the art of using Styled() with MUI V5

Having trouble utilizing MUI Styled () on a larger scale. Can someone please review the code we used in previous versions and advise how to replicate it in MUI V5? Previous Method: const useStyles = makeStyles((theme) => ({ root: { backgroundColo ...

javascriptreactjstypescriptmaterial-ui

I am looking to pair a unique audio clip with each picture in my collection

I have implemented a random slideshow feature that cycles through numerous images. I am now looking to incorporate a brief audio clip with each image, synchronized with the array I have established for the random pictures. The code snippet below is a simil ...

javascriptarrayshtmlimagehtml5-audio

Adding rows dynamically to multiple tables on a single page using a single function

I am facing a situation where I have multiple tables and a function that adds rows to these tables: <table id="table1" style=" border-collapse: collapse;"> <tr id="table1row1">... <tr id="table1row2">... <table id="table2" style=" bor ...

javascriptjqueryhtmlhtml-tableincrement

Is there a way to transfer driver information between methods smoothly?

Just started working with Selenium and I have a query. I created a method called urlload to load a specific URL, but when I try to read webElements of the webpage loaded in that method from another class, it doesn't seem to work. Any advice or hel ...

javascriptselenium

Can you explain the updated method in Mongoose 3.8.x that replaces Model.visits.$inc() from version 2.7.x?

According to the Mongoose ODB documentation for version 2.7.x, the following code snippet should be valid: Model.findOne({ name: 'borne' }, function (err, doc){ doc.name = 'jason borne'; doc.visits.$inc(); doc.save(); }); This i ...

node.jsmongodbexpressmongoose

best way to remove browser hash history using javascript

Utilizing the hashchange plugin, I have successfully implemented ajax-like navigation. Now, I am looking to establish a navigation system through folders with the following structure: #root/ -> #root/folder -> #root/folder/subfolder -> #root/ ...

javascriptjqueryajaxnavigation

Using Express-session on dual servers

I have been experimenting with express-session on two different local servers. The first server is dedicated to database manipulation, while the second server is responsible for loading pages. My goal is to store some data in the session from the first ser ...

javascriptnode.jsexpresssessionexpress-session

Utilizing jQuery to convert object properties into a table

Here is the table structure I am working with: <table> <thead> <tr> <th>Loan Type</th> <th>Amount Borrowed</th> <th>Current Payment< ...

javascriptjqueryhtmloophtml-table

Discover all undefined variables in the project using Node.js

Currently working on developing a backend API using Node.js Encountering issues at times where unit tests fail and error message 'data is not defined' appears Fortunately, TypeScript has proven beneficial in resolving such problems with its l ...

javascriptnode.jsunit-testingconfigurationsyntax-error

"Updating documents with Mongoose's Modle.update() method leads to incorrect updates and triggers a Cast

Could use some assistance clarifying a few things. I'm working with the following Model: var Event = new Schema({ event_code: String , segments: [Segment] }); The creation of new documents is flawless. However, running into issues when updating ...

node.jsexpressmongoose

Creating multi-dimensional arrays using array lists with Axios and Vue.js

My knowledge of axios and JavaScript is limited, and I find myself struggling with creating a multi-dimensional array. 1. This is how I want my data to be structured : https://i.stack.imgur.com/kboNU.png userList: [ { ...

javascriptarraysvue.jsmultidimensional-arrayaxios

The innovative way Vue.js revolutionizes HTML updates within a Websocket onmessage event

I'm new to Vue.js and I'm trying to capture data inside the onmessage event of a websocket and update an HTML component (either a span or div). While console.log or alert functions work in onmessage, I couldn't get it to update the span. Th ...

javascripthtmlvue.js

Is Angular 4 failing to set headers properly or is Express.js searching in the wrong place?

When interacting with an Express.js API, I encountered a issue regarding the handling of auth tokens. The problem arose when sending the token in the request headers using Angular 4 compared to Postman. In Postman, setting the header named 'Authorizat ...

javascriptangulartypescriptexpresshttp-headers

Conceal Element in React if it is the Final Item

Is there a way to hide the TimelineConnector if it is on the last item? I am looking for some guidance on how to achieve this. Please take a look at my codesandbox below: CLICK HERE {timelines.lastIndexOf(index) !== 1 ? <TimelineConnector /> : &quo ...

javascriptreactjsecmascript-6material-ui