攻击者可以有害地使用检查元素吗? [英] Can an attacker use inspect element harmfully?
问题描述
我知道这是一个广泛的问题,但我想我在这里遗漏了一些东西.攻击者是否可能通过简单地使用inspect元素并编辑javascript和html对网站造成损害?例如,对于某人来说,更改输入的最大长度并上传太多数据可能会使服务器崩溃,这似乎太容易了,我知道在服务器上检查数据始终是一种好习惯,但是似乎仍然太容易了.另一个更潜在的危险示例是,如果攻击者可以弄乱 $.ajax 调用并将错误信息发送到服务器.是我应该担心的事情,还是更改只是暂时的,在攻击者的浏览器上?
I know this is a broad question, but I think I'm missing something here. Is it possible for an attacker to cause damage to a site by simple using inspect element and editing the javascript and html? For example, it seems too easy for someone to change the maxlength of an input, and upload so much data that it could crash the server, I know that it is always good practice to check data at the server but it still seems too easy. Or another more potentially dangerous example is if the attacker can mess with an $.ajax call and send bad info to the server. Is it something I should be worrying more about or are the changes just temporary, on the attackers browser?
推荐答案
所做的更改在单个用户的浏览器中是暂时的.
The changes are temporary on the individual user's browser.
但是,所做的更改将使该用户可以与您的后端进行交互,但是他们选择这样做.这是攻击网站的一种方式.
However, the changes will allow that user to interact with your backend however they choose to do so. This is one way in which sites are attacked.
标准规则是永远不要信任来自用户/浏览器的输入.不信任隐藏字段的值,不信任它们未更改长度,不信任它们未添加新值(例如,下拉列表),不信任在Javascript中已完成的任何验证,等
The standard rule is to never trust input coming from the user / browser. Do not trust the value of hidden fields, do not trust that they have not changed the length, do not trust that they have not added new values (e.g. to a drop down), do not trust any validation that has been done in Javascript, etc.
一些例子:
- 过去某些购物网站会在表格中包含要作为隐藏字段支付的金额.更改此值会更改仍在批准交易的同时从信用卡收取的金额.
- 具有Java验证规则的站点可以通过直接发布到后端服务来跳过,从而对SQL和HTML/脚本注入攻击开放.
- 下拉菜单,单选按钮和复选框输入,可以在其中添加意外值.
这篇关于攻击者可以有害地使用检查元素吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
