恶意黑客能否改变隐藏的后期变量？ [英] Could a Malicious Hacker Alter a Hidden Post Variable

问题描述

我知道一个POST可以被欺骗的原始域，但是如何能够改变我的HTML中隐藏的POST变量的变量？我担心有人可以通过以下方式更改PayPal表单中的金额值：

 < input type =hidden name =amountvalue =1.00> b 
 
 
 
 
 
 < input type =hiddenname =amountvalue =0.01> 
  

或类似的东西。谢谢。

解决方案

是的，任何人都可以轻松修改表单变量。无论他们是GET还是POST都无所谓。

Web安全规则＃1：永远不要相信任何用户输入。还称为所有用户都是恶意黑客或其某些变体。

回答评论：解决方案是了解服务器端的所有正确值，而无需必须通过客户端（Javascript）传递它们。所以不管形式如何，你已经知道价格。只需使用您用于填充表单的相同值即可。

I know that a POST can be spoofed in terms of originating domain, but what about being able to change the variables of the hidden POST variables in my HTML? I am concerned that someone could alter the "amount" value in my PayPal form from this:

<input type="hidden" name="amount" value="1.00">

to this:

<input type="hidden" name="amount" value="0.01">

or something similar. Thanks.

解决方案

Yes, it is trivially easy for anyone to modify your form variables. Whether they are GET or POST doesn't matter at all.

Web security rule #1: Never trust any user input. Also stated as "All users are malicious hackers" or some variant thereof.

answer to comment: The solution is to know all of the correct values on the server side, without having to pass them through the client side (Javascript). So regardless of what the form says, you already know the price. Just use the same value you used to populate the form in the first place.

这篇关于恶意黑客能否改变隐藏的后期变量？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！