firebug或开发人员工具可以用来破解网站吗? [英] Can firebug or developer tools use to hack a web site?
问题描述
在网站中实现某些角色特定功能时,我遇到了一个有趣的问题。
I was facing to an interesting issue when implementing some role specific feature in a web site.
如果登录用户具有管理员角色权限,那么就像这样一个按钮(称为转移)将启用,否则对于其他用户应该禁用(因此他们无法点击因此无法执行交易/或调用相关的逻辑)
It's something like, if the logged in user has Admin role privileges then a button (called Transfer) will be enabled and otherwise for other user it should be disabled (So then they can't click hence can't perform the transaction / or invoke the relevant logic to that)
一眼就可以看出相当直接的UI验证有点东西了。如果登录用户具有Admin权限,我们只需启用该按钮即可。
At a glance it seems fairly straight forward UI validating kinda stuff. We just has to enable the button if the logged in user has the Admin privileges.
因此,在实施该方法(工作正常)后,我正在使用Chrome开发人员工具调试代码。 我注意到虽然按钮现已禁用,但我们实际上可以通过使用该工具删除已禁用部分来启用它。
So after implementing that approach (working fine) , I was debugging the code using Chrome developer tools. I noticed that though the button is now disabled we can actually enable it by removing the disabled part using the tool.
然后我可以点击它并调用这些函数。所以基本上它不是好方法。但幸运的是,还有服务方验证。但如果不是这可能是一个巨大的安全漏洞。
And then I can click on it and the functions get invoked. So basically it was not good approach. But fortunately there are service side validations also. But if not this can be a huge security vulnerability.
所以基本上做服务器/服务/后端验证可以防止发生危险。但是因为这个人实际上可以点击它,至少他可以尝试调用这些方法似乎并不好:(
So basically doing an server / service / back-end validation will prevent something dangerous from happening. But since the person can actually click on it and at least he can try to invoke the methods it seems not nice :(
所以,我真的很想知道,如何我们可以阻止这种情况。
So , I would really like to know , How can we prevent these kind of situations.
好的,这是我的问题很简单:
okay here is my question in simple :
是根本没有残疾人组件好吗?
推荐答案
不要在查看中使用已禁用的组件。
这是您的业务逻辑的一部分,不应出现在DOM中...
"Don't" use disabled components in your View.
That's part of your business logic and should not appear in the DOM...
但是嘿:)......
"But hey :)..."
现在,即使元素不存在,没有什么可以阻止用户手动将此类元素嵌入您的网站。
您应该始终执行服务器端检查以查看此类用户具有执行的实际权限特定操作。
Now, even it the element does not exists, nothing can stop a user to manually embed such element into your website.
You should always perform server-side checks to see it such user has the actual privileges to perform a specific action.
有时会在UI内使用已禁用元素来显示e用户:
嘿,看到这个按钮?这不适合你,除非你支付或者说等等,
但通常作为 第二步 /可选动作元素。
Sometimes disabled elements are used inside the UI to show the user:
"Hey, see this button? It's not for you unless you pay or blah blah",
but usually as a second-step/optional action element.
有时整个表单在网站上可见但是已经分出来/ 已禁用 。
这样的用例是:带有步骤的付款表单,设计者希望向用户说明他需要填写以前的表格才能激活第二个表格并继续案例是无穷无尽的,但如果网站上存在表格,那就是纯粹的用户界面(查看),模特不应接受来自控制器的值,除非(如我所说)指定通过业务逻辑。
Sometimes entire forms are "visible" on websites but dimed-out / disabled.
Such use cases are i.e: Payment forms with steps, where the designer wants to make wisible to the user that he needs to fill in a previous form in order to "Activate" the second one and proceed with the payment etc... Cases are endless, but if a form exists on the website it's pure UI (View) and the Model should never accept values from the controller unless (as I've said) specified by the Business Logic.
请记住,前端Javascript仅用于通知和通过直观的界面系统帮助用户.JS事件应该只是反映用户能做什么和不能做什么。
Remember that Front-end Javascript is used just to inform and help the user trough intuitive interface systems. JS events should just be there to reflect what a user can and cannot.
因为任何精通技术的用户都可以绕过JS ,在后端,您需要再次重建类似且更强大的安全逻辑。
Since JS can be bypassed by any tech-savvy user, On the back-end side, you need to rebuild a similar and stronger security logic, once again.
(!)验证前端的用户输入,但最重要的是 - 在后端。
可以是firebug还是开发人员工具用来破解网站?
Can firebug or developer tools use to hack a web site?
直接 ?
Directly?
- 是
- 如果可以通过操纵View(源代码)来利用网站后端逻辑。
- 如果你保留了访问浏览器的代码(在评论中等)敏感信息。
- 如果网站没有允许XSS,具有强大的后端安全性。
间接 ?
恶意用户最终可能会要求用户打开控制台(欺骗用户控制台是实际的网站功能)并向他发送(复制/粘贴)私人信息存在于那里,,例如会话密钥,cookie等......
A malicious user could eventually ask a user to open console (tricking the user that Console is an actual website feature) and to send him (copy/paste) private information that are present in there, such as session keys, cookies, etc...
这篇关于firebug或开发人员工具可以用来破解网站吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
