嗅探和篡改网站的请求和响应，如何防止? [英] sniffing and tampering requests and responses of web sites, how prevent?

问题描述

我正在研究有关我的网站的安全性和其他内容.
在我国，网上支付的工作方式类似于Paypal.
意味着您应该通过邮寄方法向银行传递一些参数，例如Amount，MerchantID，ReturnURL，ResNum(OrderID)，并且银行在付款后会向您传递一些参数，例如MID，Status，ResNum. 在此请求和响应过程中，某些人可以使用下面的软件进行嗅探和篡改:
http://www.fiddler2.com/fiddler2/
请观看此视频:
http://www.fiddler2.com/fiddler/help/video/
我对其进行了测试，并且还可以通过使用证书在https上使用.
哇...

i am working on security and other stuff about my web sites.
in my country online payments work like paypal.
mean you should pass some parameters such as Amount,MerchantID,ReturnURL,ResNum(OrderID) by post method to bank and bank will pass some parameters such as MID,Status,ResNum to you after payment.
during this requests and responses somebody can use the software below to sniff and tamper:
http://www.fiddler2.com/fiddler2/
please see this video:
http://www.fiddler2.com/fiddler/help/video/
i test it and it also works on https by using a certificate.
wow...

1. 如何防止这种嗅探和篡改?
   付款后，在银行端有一个名为VerifyTransaction的函数在卖方侧调用，此函数返回金额.
   此功能在银行一侧的Web服务上.
   主要问题是:
2. 有人可以嗅探和篡改银行和卖方之间的Web服务吗?
   提琴手可以这样做还是其他工具?
   如果是，我们如何防止这种嗅探和篡改(Web服务)?

1. how can i prevent this sniffing and tampering?
   there is a function in bank site named VerifyTransaction that is called on Seller side after payment and this function returns amount.
   this function is on a web service on bank side.
   the main question is :
2. can somebody sniff and tamper web service between bank and seller?
   mean can fiddler do that or the other tool?
   if yes, how can we prevent this sniffing and tampering (web services)?

非常感谢您的关注

推荐答案

Fiddler在运行Web浏览器的同一客户端上运行，两者都在同一用户的控制下，因此它无法做任何您不能做的事情不仅使用浏览器(可能需要更多的精力).

Fiddler is running on the same client that the web browser runs on, both under the control of the same user, so it can't do anything that you couldn't do with just a browser (but maybe much more effort).

不能保证从客户端到服务器的数据已经通过HTML/JavaScript/etc发送.你为他们服务.这就是为什么您不应该信任用户输入的原因，例如总是在服务器端进行数据验证(并且仅在客户端进行数据验证以提高可用性).这就是在银行和卖方之间调用Web服务的原因，以确保交易详细信息正确.

There is never a guarantee that data coming from clients to your server has been sent by the HTML/JavaScript/etc. that you served them. That is why you should never trust user input, e.g. always do data validation on the server side (and only additionally on the client side for improved usability). And that is the reason for the web service calls between the bank and the seller, to ensure that the transaction details are correct.

通过正确的TLS设置，可以防止篡改和嗅探卖方服务器与银行服务器之间的流量.

Tampering and sniffing of traffic between the seller-server and the bank-server can be prevented by proper TLS setup.

这篇关于嗅探和篡改网站的请求和响应，如何防止?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！