Input Validation Bypass on Netlify forms request

Sitename: https://www.tradetrust.io/

Hi there, we’ve been using netlify and we’ve been satisfied with it so far, thanks for all the hard work you guys have put in.

I have a question, and its regarding the built-in forms provided by Netlify. Lets say I have a contact us form and some of the fields are required before. To give an example, a form with name (required) and message (optional) [client side validation].

Our audit team has tried intercepting the form submission request using their “BurpSuite” and they have managed to alter the request such that they remove the required field (name) and they managed to hit the endpoint and submit this altered request.

Is there any feature / protection measures that are available on Netlify, to prevent an interception of the request?

Thanks for taking the time to answer this question.

1 Like

Hi @cavacado, thanks for posting and welcome to the Netlify support Forums.
Very good question.

You can do client-side validation as you indicated.
However, unfortunately Netlify forms does not currently have an API for you to do backend form validation.

An alternative solution will be to POST the form data to a Netlify function and then validate the form data for the required fields as you stated. If the validation requirments are not met then you can respond with an error message, redirect e.t.c to the end user.

Once the form data is valid after the passing the required validation, you can use SMTP clients such as Nodemailer, Emailjs e.t.c to send the form data to your email just like how Netlify forms forwards the submissions to your configured email. You can also use third party providers like SendGrid e.t.c as well to send form data to your email.

In addition, there is a post here on this forum that is similar to the question you asked.

@fool’s response explains how submissions work and it should give you an idea of the whole Netlify form submission workflow.

Hope this helps.
Thanks.

Hey @cavacado,

While @clarnx is correct, turns out we can get creative and use Netlify Edge Functions to achieve what you need.

Here’s a very short example:

The site is deployed here: https://sparkling-daffodil-8446e2.netlify.app/

If you submit the form without any name input, it would fail, however, as soon as you add any string to the name input, it works.

You’d have to customise this for your needs, though. Also, I’m not sure how well this would work for forms with file uploads, so that’s something to be cautious about.

An important note though, Edge Functions are in Beta right now and can fail sometimes. It’s not recommended yet for mission critical apps where even a single miss can cause serious issues.

1 Like