最终用户（黑客）如何更改Jquery和HTML值？ [英] How do end users (hackers) change Jquery and HTML values?

问题描述

我一直在寻找更好的方法来保护我的网站。许多论坛和Q / A网站都说最终用户可能会更改jQuery变量和HTML属性。他们如何做到这一点？如果他们可以更改站点上的数据和元素，他们是否可以插入脚本？

例如，我有2个用于主页的jQuery脚本。拳头是仅限会员脚本，第二个是仅限访问者脚本。终端用户是否可以登录我的网站，复制仅限会员脚本，注销并注入脚本，以便以访问者身份运行？ 解决方案方案

是的，假定客户端没有任何东西是安全的。使用Firebug for Firefox或Developer Tools for Chrome等最终用户可以操作（添加，修改，删除）：

您的CSS

您的JS

您的HTTP标头（发送到您的服务器的数据包）

li>

Cookies直接回答您的问题：如果您完全依赖JavaScript（并且很可能cookies）来跟踪用户会话状态并向会员和来宾传递不同的内容，那么我可以绝对肯定地说其他人会绕过您的安全，并且这将是微不足道的这样做。

设计安全的应用程序并不容易，不断的战斗，需要数年才能完全掌握。黑客应用程序非常简单，对整个家庭都很有趣，并且可以在20分钟内在YouTube上学习。

尽管如此，希望JS中包含的内容不是任务关键型或敏感数据。如果是这样，我会认真权衡雇用精通安全技术的第三方开发人员进来并帮助你的成本。因为，就像我之前说的那样，创建一个真正安全的网站并不容易。

I've been looking for better ways to secure my site. Many forums and Q/A sites say jquery variables and HTML attributes may be changed by the end user. How do they do this? If they can alter data and elements on a site, can they insert scripts as well?

For instance I have 2 jquery scripts for a home page. The fist is a "member only" script and the second is a "visitor only" script. Can the end user log into my site, copy the "member only" script, log off, and inject the script so it'll run as a visitor?

解决方案

Yes, it is safe to assume that nothing on the client side is safe. Using tools like Firebug for Firefox or Developer Tools for Chrome, end users are able to manipulate (add, alter, delete):

• Your HTML
• Your CSS
• Your JS
• Your HTTP headers (data packets sent to your server)
• Cookies

To answer your question directly: if you are solely relying on JavaScript (and most likely cookies) to track user session state and deliver different content to members and guests, then I can say with absolute certainty that other people will circumvent your security, and it would be trivial to do so.

Designing secure applications is not easy, a constant battle, and takes years to fully master. Hacking applications is very easy, fun for the whole family, and can be learned on YouTube in 20 minutes.

Having said all that, hopefully the content you are containing in the JS is not "mission-critical" or "sensitive-data". If it is, I would seriously weigh the costs of hiring a third party developer who is well versed in security to come in and help you out. Because, like I said earlier, creating a truly secure site is not something easily done.

这篇关于最终用户（黑客）如何更改Jquery和HTML值？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！