can what I am doing in my webapplication be hacked or broken into easily?

Question

I am presenting the user with some exam. Users are not to proceed into the actual site before they pass this exam. However, there will be some users who will have a choice to bypass the exam until some date (say month from current date). So these users have a window of a month to take the exam. until then they can click 'Proceed' on the exam page to just go into the site.

My Logic: When normal users click submit on the exam form page I am doing all my logic and submitting info the the DB. When these 'special' users click proceed then I will be just harcoding a 'true' to the 'didPassExam()' method, if they are still in that one month window.

My question is: to check which button the user clicked I am doing the following (Struts 2 code)

private String submit;

public void setSubmit(String submit) {
    this.submit = submit;
}

And in the JSP:

 <s:submit name="submit" value="Submit" />

 <s:submit name="submit" value="Proceed" />

so basically when user clicks a button, my action class will know which button was clicked. But can some hacker intentionally change value of 'Submit' button to 'Proceed' and then bypass the exam even for normal users?

Would someone do this a different and more secure way?

Answer 1

Yes, any user could pass along the special "Proceed" and gain access.

Since you can (and do) already tell the difference between the types of users you should validate their button at the server based on that. Client-side checks can always be bypassed.

Answer 2

In general, you should not trust input from the client. You should validate on the server side that the particular user has the right to skip the exam. Presumably, you know who the user is from a log-in process and you know the correct logic to determine if they can skip the exam. So there's no reason to trust what the client tells you.

Answer 3

Yes, this is easily hacked. Whenever you need to secure something like this, do the check on the server side. That is, check the user type (this is like a "Role" in the parlance) on the server side.

Always assume that any client-side code can and will be replaced by a malicious user.

Answer 4

You will need to capture the button pressed, and then validate it against the User. Assuming your User is instantiated as class variable user, and returns Boolean for public method isSpecialUser():

public void setSubmit(String submit) {
    if (user.isSpecialUser() && submit == "Proceed") {
        // Only Special Users can set this to Proceed
        this.submit = submit;
    } else {
        // Sets itself to the remaining valid option (to prevent evilness)
        this.submit = "Submit";
    }
}