问题描述
有没有办法隐藏在表单提交中发布的键和值。黑客使用安全测试工具(如burp套件)可以篡改关键值?
解决方案有没有办法隐藏在表单提交中发布的键和值。黑客使用安全测试工具(如burp套件)可以篡改关键值?
解决方案尽管HTTPS用于保护数据在传输中,没有实际的方法来防止用户篡改他们机器上的数据。几乎每个现代浏览器都有内置或附加开发者工具,允许用户暂停脚本执行,更改客户端脚本变量,修改HTML等等。
如果采取这种方法,您将验证所有输入结束(可以这么说),然后篡改真的不应该是一个问题。如果BobLimitedUser想操纵HTML,以便他可以将一个下拉值从一个值更改为另一个值,那么这是他浪费的时间。如果他设法将某些东西改变为导致数据完整性或安全问题的值,那么服务器端验证就是为了防止这种情况发生。
简而言之, p>
数据验证是一个很大的讨论话题,我建议您查看OWASP参考指南(这里仅仅是复制太多信息):
最后一点要思考......如果您有一个客户端脚本应用程序,那么我假设您使用AJAX和Web服务来传输数据。无论您编写什么客户端脚本,是什么阻止恶意用户简单地使用Fiddler之类来绕过客户端脚本,而是浏览器本身直接将请求发送到Web服务?确保安全性的唯一方法是验证服务器上的所有内容。
Is there a way to hide the keys and values that are posted back on form submit.As these key values can be tampered with by the Hacker using Security testing tools such as burp suite?
While HTTPS is used to secure data in transit, there is no practical way to prevent a user from tampering with data on their machine. Pretty much every modern browser now has built-in or add-on developer tools that allow a user to pause script execution, change client script variables, modify HTML, and so on.
One method that CAN be used for data that is round-tripped back and forth from the client to the server and doesn't change (such as a UserID) would be to encrypt the data prior to sending, and then decrypt when it returns to the server. Another mechanism would be to take all of your round-trip values that aren't expected to change and compute a hash against them which could be stored in a hidden field on the page. Then when they return, recompute the hash and make sure that everything matches up. Then "BobLimitedUser" couldn't change his username to "Administrator" by manipulating HTML without breaking the hash.
All of that being said, the underlying fact is simply that you should consider data coming from a system not under your control as untrusted. Final input validation should always be performed server-side (in addition to any client-side validation performed). Because of this "double validation" requirement, for complex validation routines, I'll actually use a webservice/AJAX call to perform the client-side validation. Then my client script and my server code can simply call the same routine, once during and once after submission.
If you take the approach that you will validate all input at both ends (so to speak), then tampering really shouldn't be an issue. If BobLimitedUser wants to manipulate HTML so he can change a dropdown value from one value to another value he has access to, that is his time to waste. If he manages to change something to a value that causes data integrity or security issues, that is what the server-side validation is there to protect against.
In Short
Data validation is a big topic of discussion, and I would recommend reviewing the OWASP reference guide (simply too much information to replicate here): https://www.owasp.org/index.php/Data_Validation
One last bit to think on... if you have a client-script application, then I assume you are using AJAX and web services to transmit data. Regardless of what client script you write, what prevents a malicious user from simply using something like Fiddler to bypass not only the client script, but the browser itself, to send requests directly to your web service? The only way to ensure security is to validate everything at the server.
这篇关于当表单提交在Burp Suite或任何类似工具中被拦截时,是否有办法隐藏发布的表单数据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!