在Web应用程序,恶意用户可以操作由Web应用程序的前端发送的输入(表单数据旁)? [英] Can a malicious user on a web application manipulate the inputs (beside the form data) that is sent by the front-end of web application?
问题描述
有没有被像发送的任何可能的方式由在Web应用程序中的恶意用户可以操作由Web应用程序的前端发送的输入(不是在谈论表单数据,当然),但请求对于如,当我让他修改自己的个人资料或他的内容,他可以操纵的ID(用户ID或内容识别),这样他可能会恶意作恶与其他用户的内容?这些输入被固定在一个网页&安培;不可编辑,但仍可以在用户操控起来?
Are there any possible ways by which a malicious user on a web application can manipulate the input that is sent by the front-end of web application (not talking about the FORM DATA, of course) but the requests that are sent like for e.g., when I allow him to edit his profile or his content, he may manipulate the IDs (userId or the contentId) so that he may maliciously do evil with other users content? These inputs are fixed on a webpage & are not editable but still can the users manipulate them?
有没有可能是用户可能会用这种方式伤害?我该如何维护我反对这个应用程序?此外,之前让每个他的行动验证用户的应用程序的身份和他的内容/属性。
Is it possible that users may do harm in this manner? How can I safeguard my application against this? Besides, verifying user's identity and his contents/properties on the application prior to allowing each of his actions.
推荐答案
是的,当然。 任何来自客户端可以进行修改和不能在所有受信任
Yes of course. Anything that comes from the client can be modified and cannot be trusted at all.
您的需要做服务器端检查如果用户正在编辑自己的个人资料什么的,他的允许编辑。
You need to do server-side checks if the user is editing his own profile or something he's allowed to edit.
有关的东西像编辑,你可以简单地使用存储在他的会议虽然用户ID的配置文件(假设它是安全的,即存储服务器端或加密签名饼干)。只有让数据通过客户端,如果有必要 - 如果数据已经是可用的服务器上,你甚至不用给用户的感觉是,他也许能与它篡改。虽然它可以作为一个蜜罐 - 但这不是真正的目的,大多数的webapps ...
For things like editing the profile you could simply use the userid stored in his session though (assuming it's secure, i.e. stored server-side or in cryptographically signed cookies). Only let data go through the client if it's necessary - if the data is already available on the server, you don't even have to give the user the feeling that he might be able to tamper with it. Even though it could be used as a honey-pot - but that's not really the purpose of most webapps...
这篇关于在Web应用程序,恶意用户可以操作由Web应用程序的前端发送的输入(表单数据旁)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
