[Ciphered Local Storage Plugin] Penetration test - Client variable manipulation
ciphered-local-storage-plugin
Mobile icon
Forge component by Platform Maintenance
Application Type
Mobile

We're preparing to have some of our platforms penetration tested as part of annual requirements. One of the PenTest chaps has said to look out for client side variable manipulation. So my question is...

Assuming that applications are only available natively (no PWA), and that ciphered local storage plugin is installed, is it at possible for someone to manipulate the client variables?

For example (I know it's a bad example).

Client variable = site.

Value set at login to Site=1.

Home page gets query "select * from site".

Is it possible for a user, using any method/tool, to change the client variable to 2, which would then change the data retrieved from the database?

Thank you

Champion
Solution

Hi,


Assuming that applications are only available natively (no PWA), and that ciphered local storage plugin is installed, is it at possible for someone to manipulate the client variables? ==> I think the client variables still can be manipulated, because this plugin is only for local storage (SQL Light in the native)

If you want to secure the client variables, better use encryption/hash check on your client variables (example this plugin for encryption : https://www.outsystems.com/forge/component-overview/11633/cryptojs-reactive)


Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.