我在网络应用程序中所做的事情是否可以轻易被黑客攻击或破坏?
我正在向用户展示一些考试。 在通过考试之前,用户不得进入实际站点。 但是,有些用户可以选择在某个日期(例如从当前日期起的一个月)之前绕过考试。 因此,这些用户有一个月的时间参加考试。 在此之前,他们可以单击考试页面上的“继续”即可进入该网站。
我的逻辑: 当普通用户单击考试表单页面上的提交时,我正在执行所有逻辑并向数据库提交信息。 当这些“特殊”用户单击“继续”时,如果他们仍处于一个月的窗口中,我将仅将“true”编码到“didPassExam()”方法中。
我的问题是: 要检查用户单击了哪个按钮,我正在执行以下操作(Struts 2 代码)
private String Submit;
public void setSubmit(String submit) {
this.submit = submit;
}
在 JSP 中:
<s:submit name="submit" value="Submit" />
<s:submit name="submit" value="Proceed" />
基本上,当用户单击按钮时,我的操作类将知道单击了哪个按钮。 但是,某些黑客是否可以故意将“提交”按钮的值更改为“继续”,然后即使对于普通用户也可以绕过考试?
有人会以不同且更安全的方式做到这一点吗?
I am presenting the user with some exam. Users are not to proceed into the actual site before they pass this exam. However, there will be some users who will have a choice to bypass the exam until some date (say month from current date). So these users have a window of a month to take the exam. until then they can click 'Proceed' on the exam page to just go into the site.
My Logic:
When normal users click submit on the exam form page I am doing all my logic and submitting info the the DB. When these 'special' users click proceed then I will be just harcoding a 'true' to the 'didPassExam()' method, if they are still in that one month window.
My question is:
to check which button the user clicked I am doing the following (Struts 2 code)
private String submit;
public void setSubmit(String submit) {
this.submit = submit;
}
And in the JSP:
<s:submit name="submit" value="Submit" />
<s:submit name="submit" value="Proceed" />
so basically when user clicks a button, my action class will know which button was clicked. But can some hacker intentionally change value of 'Submit' button to 'Proceed' and then bypass the exam even for normal users?
Would someone do this a different and more secure way?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
是的,任何用户都可以传递特殊的“继续”并获得访问权限。
由于您可以(并且确实)已经区分了用户类型之间的差异,因此您应该基于此在服务器上验证他们的按钮。 客户端检查始终可以被绕过。
Yes, any user could pass along the special "Proceed" and gain access.
Since you can (and do) already tell the difference between the types of users you should validate their button at the server based on that. Client-side checks can always be bypassed.
一般来说,您不应该相信来自客户端的输入。 您应该在服务器端验证特定用户是否有权跳过考试。 据推测,您从登录过程中知道用户是谁,并且知道确定他们是否可以跳过考试的正确逻辑。 所以没有理由相信客户告诉你的话。
In general, you should not trust input from the client. You should validate on the server side that the particular user has the right to skip the exam. Presumably, you know who the user is from a log-in process and you know the correct logic to determine if they can skip the exam. So there's no reason to trust what the client tells you.
是的,这很容易被黑客攻击。 每当您需要保护此类内容时,请在服务器端进行检查。 也就是说,检查服务器端的用户类型(这就像术语中的“角色”)。
始终假设任何客户端代码都可以并且将会被恶意用户替换。
Yes, this is easily hacked. Whenever you need to secure something like this, do the check on the server side. That is, check the user type (this is like a "Role" in the parlance) on the server side.
Always assume that any client-side code can and will be replaced by a malicious user.
您需要捕获按下的按钮,然后针对用户进行验证。
假设您的 User 被实例化为类变量 user,并为公共方法 isSpecialUser() 返回布尔值:
You will need to capture the button pressed, and then validate it against the User.
Assuming your User is instantiated as class variable user, and returns Boolean for public method isSpecialUser():