问题描述
我有以下ajax调用,该调用检查用户是否为付费会员,如果是,它将相应地运行某些功能.这有效,但我担心安全性.如果有人在控制台中更改此Ajax代码,强制#button
成功运行功能而无需执行任何操作,该怎么办.在仍然使用jQuery ajax的情况下可以防止这种情况吗?
I have the following ajax call which checks to see if the user is a paid member, if yes it runs certain functions accordingly. This works but i'm concerned about security. What if someone alters this ajax code in console forcing #button
to run the functions in success without having to do any post. Can i prevent this while still using jQuery ajax.
$('#button').click(function() {
$.ajax({
url:'checkplan',
type:'POST',
success:function(data){
if(data == 'paid')
//grant access and run some functions
}
})
推荐答案
Pinkie
而不是在客户端进行此检查应该做的是,永远不要渲染仅用于客户端的付费用户的代码.就像其他人提到的那样,这带来了严重的安全漏洞,因为仅使用Firebug控制台伪造ajax请求非常简单.
Pinkie
what you should do rather than make this check on the client-side is never render code that is meant only for paid users on the client-side, like others mention, this imposes severe security holes since it's very simple to forge ajax requests with merely a firebug console.
同样,只是隐藏"标记并不会为您削减标记,因此display:none;
在保护您的网站方面并不会真正起到任何作用.
Likewise, just "hiding" markup isn't going to cut it for you, so display:none;
won't really accomplish anything in securing your website.
我的建议是两方面的:首先,甚至不要在客户端上呈现javascript,而这并不是给正在访问的用户的.在这种情况下,您甚至可能要考虑调用部分操作方法,该方法根据用户凭据决定是否向客户端呈现什么js代码.
What I'd recommend is two-fold: firstly, don't even render javascript on the client that isn't meant for the user who is visiting. In this case you might even want to consider invoking a partial action method that decides whether or not to render what js code to the client, depending on the user credentials.
其次,在客户端只能做很多事情,这意味着:服务器端上对用户凭据敏感的每个方法都应验证是否确实允许用户访问此功能,而不仅仅是猜测如果他访问了该方法,他一定是.
Secondly, there is only so much that can be done on the client-side, this means: every single method on the server side that is sensitive to the user's credentials should verify that the user is indeed allowed to access this functionality, and not just guess that if he's accessed that method, he must be.
更新
在您提到要在其中呈现jquery UI对话框的情况下,只要这些按钮指向a即可在服务器端验证用户是他声称的用户的功能,那么您就安全"(即使这不是地球上最干净的代码);您真正应该做的是根据用户是否具有所需的凭据来呈现这些按钮.
In the case you mention where you render a jquery UI dialog, as long as the buttons point to functionality thata verifies on the server-side that the user is who he claims to be, then you are "safe" (even though it's not the cleanliest code on the earth); what you should really be doing is render those buttons based on whether the user has the credentials you require.
您应该进行查询以获取要呈现的HTML/JS部分,而不是检查它们在ajax调用中是否具有必需的凭据.
Instead of checking if they have the required credentials in your ajax call, you should be making a query to fetch the portion of HTML / JS you were going to be rendering.
这篇关于jQuery Ajax安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!