从javascript安全修改应用程序状态 [英] Security modifing app state from javascript

问题描述

我对如何开发Web应用程序安全性有疑问.假设所有javascript代码都是公开的，并且任何人都可以使用看似方便的参数直接进行任何AJAX调用，那么任何直接修改数据库状态的调用都是非常危险的.

I have a question about how to develop my web application security. Assuming that all the javascript code is public and that anyone can make any AJAX call directly, with parameters that seem convenient, then any call that directly modify the status of the database is highly dangerous.

也就是说，通过调用"changePoints"或"updateUserState"，恶意用户可以破坏例如游戏的逻辑并获得无限的金钱或积分.

That is, calls as "changePoints" or "updateUserState" allow a malicious user to break the logic of, for example, a game and obtain unlimited money or points.

我对此问题的直观解决方案是设计将客户端与服务器进行通信的调用，以便无法通过其参数破坏应用程序逻辑.在游戏示例中，像"buySomething"之类的调用将是安全的，因为服务器将负责添加该某物"并减去其花费的金钱.出于明显的原因，两个调用"addSomething"和"changeMoney"可以完成相同的任务，但并不安全.

My intuitive solution to this problem is to desing calls that communicate client with server so through its parameters could not be possible breaking the app logic. In the example of a game, a call like "buySomething" would be safe because the server would be responsible for adding that "something" and subtract the money it costs. Two calls "addSomething" "changeMoney" could accomplish the same task but would be unsafe, for obvious reasons.

我的怀疑来自于这种推理导致我得出的结论:客户端MVC模式的模型部分看起来是如此危险，特别是如果我们应用活动记录"，因为AJAX调用与数据库服务器直接相关.另外，我的直观解决方案也倾向于在服务器端开发许多应用程序逻辑，这可能会变得乏味.

My doubts arise from the conclusions that this reasoning leads me: The model part of MVC pattern in client side seems so dangerous, especially if we apply "active record" because AJAX calls have a direct correlation to the database server. Also, my intuitive solution generates a tendency for much of the application logic to be developed on the server side, which can become tedious.

有什么我想念的吗?有更聪明的解决方案吗?在客户端使用模型和活动记录是否不安全?

Is there something I'm missing? Are there smarter solutions? Does using models and active record in client side is just insecure?

感谢您的关注和帮助.

推荐答案

服务器总是 的最终授权.您需要服务器端所有的应用逻辑，服务器需要验证用户执行的所有操作.将服务器视为一个黑盒子，它代表了您所有的应用程序逻辑.黑匣子之外的任何内容都是不可信的，不属于应用程序".根据定义，可以使用该黑匣子从外部"进行的任何操作都是不受信任的.黑匣子只能将有效的API暴露在外面，并通过拒绝无效的输入做出反应. HTML/Javascript接口只是使用普通用户可以与之交互的那些API的便捷方式，它不是核心应用程序的一部分，并且不得包含关键的业务逻辑.它只是表示黑匣子内部发生的事情.

The server is always the ultimate authority. You need all of your app logic server-side and the server needs to validate all actions a user takes. Think of the server as a black box, which represents all of your application logic. Anything outside of that black box is not trustable, not part of "the app". Anything that can be done "from outside" with that black box is by definition untrusted. The black box must only expose valid APIs to the outside and react to any invalid input by rejecting it. An HTML/Javascript interface is merely a convenient way to use those APIs that a normal user can interact with, it is not part of the core application and must not contain critical business logic. It merely represents what goes on inside the black box.

如果您的应用程序是高度动态的，并且经常更改需要在界面中反映出来的状态(例如在游戏中)，那么可以，将其与服务器端状态保持同步可能是一个很大的挑战.尽管如此，这是必需的.

If your application is highly dynamic and often changes state which needs to be reflected in the interface, like in a game, then yes, keeping that in sync with the server-side state can be quite a challange. It's nevertheless necessary.

这篇关于从javascript安全修改应用程序状态的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！