保护表单劫持黑客 [英] protect form hijacking hack
问题描述
是的,今天您好,我发现我的网站遭到了黑客攻击。
Yes hello today I discovered a hack for my site.
当您在用户墙上(在我的社区站点中)写一个msg时,它将运行ajax调用,以将消息插入数据库,然后成功滑动下来并显示出来。
When you write a msg on a users wall (in my communitysite) it runs a ajax call, to insert the msg to the db and will then on success slide down and show it.
工作正常,没有问题。
因此,我正在重新考虑各种事情,为此我正在使用POST方法,如果它是GET方法,则可以轻松地执行?msg = haxmsg& usr = 12345679。但是,您可以怎么做才能解决POST方法呢?
So I was rethinking alittle, I am using POST methods for this and if it was GET method you could easily do ?msg=haxmsg&usr=12345679. But what could you do to come around the POST method?
我制作了一个新的html文档,制作了表格,并在操作中设置了 site.com/insertwall.php(通常在ajax中使用的文件) ,我输入了一些与我使用ajaxcall一样的名称的输入字段(msg,uID(用户ID),BuID(按用户ID)),并创建了一个提交按钮。
I made a new html document, made a form and on action i set "site.com/insertwall.php" (the file that normally are being used in ajax), i made some input fields with names exactly like i am doing with the ajaxcall (msg, uID (userid), BuID (by userid) ) and made a submit button.
我知道我有一个page_protect()函数,要求您登录该函数,如果您不登录,将成为index.php的标头。因此,我登录了(在site.com上开始了会话),然后按下了此提交按钮。然后,我在网站上看到糟糕的消息,它发出了一条新消息。
I know I have a page_protect() function on which requires you to login and if you arent you will be header to index.php. So i logged in (started session on my site.com) and then I pressed on this submit button. And then wops I saw on my site that it has made a new message.
我就像哇,劫持POST方法是如此容易,我以为可能很少更安全的东西。
I was like wow, was it so easy to hijack POST method i thought maybe it was little more secure or something.
我想知道如何做才能防止这种劫持?因为我什至不想知道真正的黑客可以用这个漏洞做什么。 page_protect可确保会话来自同一http用户代理,因此,此方法工作正常(试图在不登录的情况下运行该表单,并且仅将我标为首页),但是的,您不会花很长时间找出登录信息首先,然后运行它。
I would like to know what could I do to prevent this hijacking? As i wouldnt even want to know what real hackers could do with this "hole". The page_protect secures that the sessions are from the same http user agent and so, and this works fine (tried to run the form without logging in, and it just headers me to startpage) but yea wouldnt take long time to figure out to log in first and then run it.
任何建议都值得赞赏。我想让我的ajax调用尽可能地安全,并且所有这些都在POST方法上运行。我该如何对insertwall.php进行检查,以检查它是否来自服务器或其他内容。.
Any advices are appreciated alot. I would like to keep my ajax calls most secure as possible and all of them are running on the POST method. What could I do to the insertwall.php, to check that it comes from the server or something..
谢谢
推荐答案
根据您的评论……
服务器之外的所有内容都无法控制。您必须在服务器边界而不是在浏览器边界定义要输入的内容。
Anything outside your server is outside your control. You must define what you want to let in at the border of your server, and not in the browser.
因此,例如,如果要让人们发送邮件,那么您必须对服务器施加任何您要施加的限制(仅登录用户,仅向朋友,仅在月球打蜡时等)。
So, for example, if you want to let people send messages, then any restrictions you want to impose (only logged in users, only to friends, only when the moon is waxing, etc) must be imposed on the server.
发送到浏览器的内容可以被视为与API交互的应用程序。人们可能会以您意想不到的方式与您的API进行交互,但是如果您的所有安全性都由服务器来照顾,那么您是安全的。
What you send to the browser can be thought of as an application that interacts with your API. People might interact with your API in ways that you don't expect, but you are safe if all your security is taken care of by the server.
(直到我们来放在中间的人的主题上,在这种情况下,请查看 CSRF预防和加密使用SSL)
(Until we come onto the subject of man in the middle stuff, in which case look into CSRF prevention and encryption with SSL)
这篇关于保护表单劫持黑客的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
