Hey,how could i fix this security hole, anybody can use the nui devtool to trigger any JS post function, example:
fetch("-๐ง๐ฎ๐ข ๐๐๐ฅ๐ฅ๐๐๐๐ค-", {
method: โPOSTโ,
body: JSON.stringify({
-๐๐ง๐ฒ- : -๐ฌ๐ญ๐ฎ๐๐- ,
})
});
or like this:
$.post(โhttps://esx_atm/depositโ, JSON.stringify({
amount: $("#amount").val()
}));
In our testing, users cannot send POST events from the DevTool, so you should be fine.
Did you try both methods and select the resource in the console?Cause on my server the second method works perfectly
1 Like
Itโs not a security hole, the security hole is your resources being vulnerable to this.
Well yea,its just a devtool
I guess using JS obfuscater should be enough to fix vulnerable scripts
Obfuscating your code is not a solution, peoplo who want to abuse this can just deobfuscate them or literally use the network tab in devtools instead fix your actual scripts, add serverside checks.
Letโs say, open your bank website and press f12, find the endpoint of โdepositโ and do a fetchโฆ is this a security hole in your browser? Not really since the request will fail since your bank does serverside checks.