可以篡改反应状态以绕过安全措施吗? [英] Can react state be tampered with to bypass security measures?
问题描述
我有两个组件.用户必须使用一个组件登录,一个组件用于显示某些内容.
我正在考虑通过让一个组件具有某种反应状态来告诉它呈现登录组件或另一个组件来实现我的应用程序.
如果我这样做,是否可以在客户端手动设置状态,以便绕过登录屏幕并显示内容?
添加了一些示例代码.
<代码>使成为 () {如果(this.state.authorized){返回<内容/>} 别的 {返回<登录/>}}
考虑到这段代码,假设只有 authorized 状态设置为 true,客户端是否可以通过以某种方式手动设置状态来简单地解决这个问题?例如通过 chrome react 开发工具之类的?
客户端 JavaScript 在设计上并不安全,即用户可以完全控制在用户浏览器中运行的脚本.考虑到用户在本地有足够的访问权限,代码总是可以被读取和修改的.适用于客户端代码的安全措施只会让这个过程变得更加复杂.
这与安全性不无关系,只要对敏感数据的访问由后端控制即可.
当然可以更改组件状态并显示不应该显示的组件.例如,React 开发工具可用于
用户基本上破坏了自己对应用程序的体验.由于用户跳过了后端身份验证过程,将显示一个没有敏感数据的空白组件.
I have two components. One component that the user must use to login and one component to show some content.
I was thinking of implementing my application by having one component that has some react state that tells it to render either the login component or the other one.
If I do this, would it be possible for on the client-side to manually set the state so that the login screen is bypassed and the content is shown?
EDIT: Added some example code.
render () {
if (this.state.authorized) {
return <Content />
} else {
return <Login />
}
}
With this code in mind, given that only the <Login /> component is capable of setting the authorized state to true, is it possible for the client-side to simply get around this by manually setting the state somehow? For example through the chrome react dev tools or something?
Client-side JavaScript isn't secure by design, i.e. user has full control over the script that runs in user's browser. Considering that a user has enough access rights locally, the code always can be read and modified. Security measures that are applicable to client-side code only make this process more complicated.
This isn't unrelated to security, as long as the access to sensitive data is controlled by the backend.
It's certainly possible to change component state and show a component that wasn't supposed to be shown. For instance, React dev tools can be used for this demo to set authorized to true:
A user basically ruins own experience with the application. A blank component will be shown without sensitive data because a user skipped backend authentication process.
这篇关于可以篡改反应状态以绕过安全措施吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
