当前位置: 文江博客话题详情

如何检查是否有人修改了您的 HTML(使用 Firebug 之类的工具)?

发布于 2024-10-20 21:25:22 字数 273 浏览 10 评论 0原文

有没有一种简单的方法可以检查是否有人修改了您的 HTML?我目前正在编写一些代码,从 DOM 获取数据并将其提交到后端,当然会对其进行清理并检查准确性,但我想知道是否有一种方法可以在传递时阻止这种情况。

例如,如果我有一个隐藏的输入,其中包含一个数字,并且有人在将其提交到我的服务器之前在 Firebug 中修改了该数字,那么有没有办法在将请求提交到服务器之前检查实际的 HTML 是否被修改,并且基本上就是告诉他们嘿伙计别再乱动我的东西了。

我不完全确定这是可能的,但如果是的话,我不知道该怎么做。

原文

Is there an easy way to check to see if someone has modified your HTML? I am currently writing some code that takes data from the DOM and submits it to the backend where it will of course be sanitized and checked for accuracy, but I was wondering if there was a way to kind of head that off at the pass.

For instance, if I have a hidden input with a number in it and someone modifies that number in Firebug before submitting it to my server, is there a way to check to see if the actual HTML was modified before submitting the request to the server and basically telling them HEY BUDDY STOP MESSING WITH MY STUFF.

I'm not entirely sure this is possible, but if it is, I do not know how to do it.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

洒一地阳光 2024-10-27 21:25:22

嗯,我想说用户浏览器上的 HTML 实际上是他们的。 (也就是说,greasemonkey 没有任何问题)在以 URL、HTML 表单输入参数和 cookies 的形式到达您的服务器之前,这些东西就不再是您的了——所有这些当然都可以在您不知情的情况下进行修改。所以你应该继续验证这些数据;没有什么灵丹妙药可以提供值得信赖的客户体验。

Hmm, I'd say that the HTML on your users' browser is actually theirs. (i.e. nothing wrong with greasemonkey) Stuff isn't yours again until it arrives at your server in the form of the URL, HTML form input parameters, and cookies -- all of which can of course be modified unbenknownst to you. So you should continue to validate such data; there's no magic bullet to allow for a trusted client experience.

回复 原文
风苍溪 2024-10-27 21:25:22

您可以与隐藏值一起发送另一个值,该值是您执行的复杂计算的结果,涉及隐藏值和一些永远不会发送到客户端的秘密值。然后,当您收到隐藏值时,只需执行另一次计算来反转第一个计算。如果您没有取回您的秘密值,那么您就知道他们已经更改了隐藏值。

当然,这仍然不会那么安全,因为有人可以轻松地在您的网站上进行一些实验,并仅根据您的隐藏值和验证值找出该秘密值是什么,然后也更改验证值。

有可能提出一种计算方法,使破解此类验证变得相当困难(但并非不可能)。然而,由于需要花费时间和精力来进行这样的计算,然后保持在其之上以确保不会出现新的漏洞,因此您最好在收到数据时对其进行清理。

在我看来,您最好不要依赖用户收到的任何数据。当然,可以采取一些技巧来完成您所要求的操作,这可能就是其中之一,但大多数这些技巧都很有可能被攻击者在足够的时间内弄清楚。

You could send along with your hidden value another value that is the result of a complex computation you performed involving the hidden value and some secret value that never gets sent to the client. Then when you receive the hidden value simply perform another calculation that reverses the first one. If you don't get your secret value back then you know they have changed the hidden value.

Of course, this is still not going to be that secure as someone can easily do some experiments on your site and find out what that secret value is based solely off of your hidden value and verification value and then change the verification value as well.

It is possible to come up with a computation that will make it rather difficult (but not impossible) to crack this type of verification. However, with the time and effort that would be involved in coming up with such a computation and then staying on top of it to ensure no new exploits come out for it, you would probably be better off just sanitizing the data as you receive it.

In my opinion you are better off not relying on any data received by the user. There are certainly tricks that can be done to do what you ask and this may be one of them but most all of these tricks are ones that can most likely be figured out by an attacker given enough time.

回复 原文
浊酒尽余欢 2024-10-27 21:25:22

您可以查看是否有人正在使用 JavaScript 通过 Firebug 更改隐藏的 input 元素,但这个想法听起来很愚蠢。

所有关键验证都应该在服务器端完成。

您不能相信客户发送的任何内容都是准确的。如果有人真的想“搞乱你的东西”,他们可以轻松地(例如)编写一个 Python 脚本来将数据提交到你的服务器。

这是我在评论中提到的基于 jQuery 的示例:

现场演示#2

  • 单击“提交”:背景将变为绿色 - 没有任何更改。
  • 更改隐藏输入的值,单击“提交”:背景将变成红色 - 某些内容已更改。

HTML:

<form id="myForm" method="post" action="">
    <input type="hidden" value="123" />
    <input type="hidden" value="456" />
    <input type="submit" />
</form>

JS #2:

$('#myForm input[type="hidden"]').each(function() {
    $(this).data('originalValue', $(this).val());
});

$('#myForm').submit(function(){
    $(this).find('input[type="hidden"]').each(function() {
        if ($(this).val() != $(this).data('originalValue')) {
            $('body').css('background', 'red');
            return false;
        }
        //just for testing:
        $('body').css('background', 'green');
    });
    return false;
});

You could see if somebody is changing hidden input elements with Firebug using JavaScript, but the idea sounds silly.

All your critical validation should be done server-side.

You can't rely on anything the client sends being accurate. If somebody really wanted to "mess with your stuff", they could easily (for example) write a Python script to submit data to your server.

Here's a jQuery-based sample of what I was alluding to in my comment:

Live Demo #2

  • Click Submit: the background will turn green - nothing was changed.
  • Change the value of a hidden input, click Submit: the background will turn red - something was changed.

HTML:

<form id="myForm" method="post" action="">
    <input type="hidden" value="123" />
    <input type="hidden" value="456" />
    <input type="submit" />
</form>

JS #2:

$('#myForm input[type="hidden"]').each(function() {
    $(this).data('originalValue', $(this).val());
});

$('#myForm').submit(function(){
    $(this).find('input[type="hidden"]').each(function() {
        if ($(this).val() != $(this).data('originalValue')) {
            $('body').css('background', 'red');
            return false;
        }
        //just for testing:
        $('body').css('background', 'green');
    });
    return false;
});
回复 原文
柠檬色的秋千 2024-10-27 21:25:22

您可以在 JavaScript 中做一些事情,例如将期望值的副本保留在 JavaScript 中:

var originalHiddenFieldValue = document.getElementById("myHiddenField").value;

...稍后...

if (originalHiddenFieldValue !== document.getElementById("myHiddenField").value)
    alert("Hey, stop it!");

但最终,用户所要做的就是分离您的事件处理程序提交按钮来覆盖任何验证,您的代码将毫无用处。如果他们足够聪明,可以使用 Firebug 覆盖值,那么您可以打赌他们也愿意进一步修改您的脚本。

如果您尝试检查这些事情,那么您可以 100% 置信度地执行此操作的唯一方法是检查服务器端的隐藏字段,并比较这些值,正如您所说的无论如何您都在做的那样。

There are things you can do in JavaScript, like keeping a copy of the expected value buried in JavaScript:

var originalHiddenFieldValue = document.getElementById("myHiddenField").value;

... later...

if (originalHiddenFieldValue !== document.getElementById("myHiddenField").value)
    alert("Hey, stop it!");

At the end of the day though, all the user would have to do is detach any event handlers on your submit button to override any validation and your code would be useless. If they're smart enough to be overriding values using Firebug, you can make a good bet that they'd be willing to go a bit further to modify your scripts too.

If you're trying to check for these things, the only way you can do it with 100% confidence is to check the hidden field server-side, and compare the values, as you have said you are doing anyway.

回复 原文
~没有更多了~

关于作者

酒解孤独

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

櫻之舞

文章 0 评论 0

弥枳

文章 0 评论 0

m2429

文章 0 评论 0

寻找一个思念的角度

文章 0 评论 0

野却迷人

文章 0 评论 0

我怀念的。

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文