Hidden does not mean secure

If you have ever had to customise an entity form in Dynamics 365 then you will likely have hidden a field, marked a field as business required and possibly even made a field read-only. Did you know however that all of these can be reverse by most users? Just because the field is not visible on the form does not mean the user cannot find the value or edit it.

Here we can see a very simple account form customisation where there is a field required and also a field that is read-only. There is also a field between these that is not visible by default. Take a look at the 2 screenshots below and you will see the difference.

Account form with Required field and Read-only field visible
A simple account entity form customised to make a field required, one hidden and one read-only
Custom fields are now visible, editable and not required
Custom fields are now not required, read-only or hidden

What happened?!

You must always remember that the Dynamics system is simply a series of web pages and with modern browsers and a little know-how any user can run the code below to undo your hard work.

// Show all fields
for (var i = 0; i < frames.length; i++) {
  try {
    frames[i].Xrm.Page.ui.controls.forEach(function(control, i) {
      control.setVisible(true);
    });
  } catch (e) {  }
}

// Make all fields editable
for (var i = 0; i < frames.length; i++) {
  try {
    frames[i].Xrm.Page.ui.controls.forEach(function(control, i) {
      control.setDisabled(false);
    });
  } catch (e) {  }
}

// Mark all fields as optional
for (var i = 0; i < frames.length; i++) {
  try {
    frames[i].Xrm.Page.data.entity.attributes.forEach(function(attribute, i) {
      attribute.setRequiredLevel('none');
    });
  } catch (e) {  }
}

Try it yourself, open a form in Dynamics and copy + paste this code into the browser tools console (F12 for most browsers).

Just a quick post to remind you this is possible, if you had forgotten or not realised; customisations do not survive contact with the customer.

2 thoughts on “Hidden does not mean secure”

  1. Almost any client-side validation code can be circumvented, Postman can allow you to easily post data to someone else’s form, session cookies can be cloned into these types of attacks, CGI/RESTful APIs can be manually input into the location field of one’s browser, curl at the command line can be scripted and to include header information. The list goes on and on.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s