如果用户在客户端更改html / javascript变量,如何防止黑客入侵? [英] How to prevent hacking if users change html/javascript variables on client side?
问题描述
使用像FireBug这样的简单工具,任何人都可以在客户端更改javascript参数。如果有人花时间研究你的应用程序一段时间,他们可以学习如何更改JS参数,从而导致黑客攻击你的网站。
Using a simple tool like FireBug, anyone can change javascript parameters on the client side. If anyone take time and study your application for a while, they can learn how to change JS parameters resulting in hacking your site.
例如,一个简单的用户可以删除实体他们看到但不允许改变。我知道一个优秀的开发人员必须检查服务器端的所有内容,但这意味着更多的开销,您必须首先检查来自数据库的数据,以便验证请求。这需要花费大量时间,因为每个人都必须对其进行验证,并且只能通过从DB获取所需数据来执行此操作。
For example, a simple user can delete entities which they see but are not allowed to change. I know a good developer must check everything on server side, but this means more overhead, you must do checks with data from a DB first, in order to validate the request. This takes a lot of time, for every action someone must validate it, and can only do this by fetching the needed data from DB.
你会做什么在这种情况下最小化黑客行为?
一种更简单的验证方法是为每个javascript函数添加另一个参数,此参数必须是之前的签名参数和密钥。
A more simple way to validate is to add another parameter for every javascript function, this parameter must be a signature between previous parameters and a secret key.
上面的解决方案听起来有多好?
我们的团队使用teamworkpm.net来组织我们的工作。我刚刚发现我可以通过更改javascript函数(最初编辑我自己的任务)来编辑其他任务。
Our team use teamworkpm.net to organize our work. I just discovered that I can edit someone else tasks by changing a javascript function (which initially edit my own tasks).
推荐答案
当每个函数调用服务器时,在执行操作之前在服务器端,您需要检查是否允许该用户执行此操作。
when every function call to server, in server side before you do the action , you need to check if this user is allowed to do this action.
有必要构建服务器端权限机制以防止不必要的操作,您可能希望定义用户组,而不是单个用户级别,这样可以更容易。
It is necessary to build server-side permissions mechanism to prevent unwanted actions, you may want to define groups of users, not individual user level, it makes it easier.
这篇关于如果用户在客户端更改html / javascript变量,如何防止黑客入侵?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
