堆栈内存溢出
  简体   繁体   English

如何使jQuery(javascript)ajax表单数据发送的可读性降低?

[英]How can i make jQuery(javascript) ajax form data sent less human readable?

 原文  2015-01-28 12:04:02       javascript/ php/ jquery/ ajax

问题描述

Someone using firebug or chrome console could intercept the submitted form data and then switch some of the values, eg. 使用firebug或chrome控制台的人可以拦截提交的表单数据,然后切换某些值,例如。 Sender's ID . 发件人的ID。 I was wondering if I can make data sent less human readable so the attacker won't want to deal with it. 我想知道是否可以使发送的数据的可读性降低,从而使攻击者不想处理它。

I saw something like this: 我看到了这样的东西: 

$.ajax({
    type: "POST",
    url: 'http://www.example.com/widget_category.php',
    data: "p=eyJUcmF6ZW5pUG9qYW0iOiIiLCJJREdydXBhIjoiMzA3IiwiSURQb2RHcnVwYSI6MzA3LCJQcm9kYXZhYyI6IiIsIk9rcnV6aSI6W10sIk9wc3RpbmUiOltdLCJDZW5hT2QiOi0xLCJDZW5hRG8iOi0xLCJTdGFuamFQcmVkbWV0YSI6W10sIk5hY2luaVBsYWNhbmphIjpbXSwiRmlsdGVyIjpbXX0=",
    dataType:'html',
    success: function(res){
        $('#limwidget').empty().append(res);
    }
    });

Edit: I see this question was accepted bad. 编辑:我看到这个问题被接受不好。 I just want to point out that i am validating all data received on the server side and there should be no question about that, but I just wanted to hide the real sensitive data from database ( and maybe make them also timestamp signed in some manner and different from user to user). 我只想指出,我正在验证服务器端收到的所有数据,对此应该没有问题,但是我只是想从数据库中隐藏真正的敏感数据(并可能使它们也以某种方式对时间戳签名并因用户而异)。 I realize that maybe this problem should be considered on server-side(php), that all sensitive data should be swaped on server-side instead of client-side, so we can avoid security by obscurity. 我意识到也许应该在服务器端(php)上考虑此问题,所有敏感数据都应该在服务器端而不是客户端上交换,这样我们就可以通过避免混淆来避免安全性。

Thanks for clarifying 感谢您的澄清

One more edit: I see now that output from atob function from the example given 再进行一次编辑:从给定的示例中,我现在看到了atob函数的输出 

eyJUcmF6ZW5pUG9qYW0iOiIiLCJJREdydXBhIjoiMzA3IiwiSURQb2RHcnVwYSI6MzA3LCJQcm9kYXZhYyI6IiIsIk9rcnV6aSI6W10sIk9wc3RpbmUiOltdLCJDZW5hT2QiOi0xLCJDZW5hRG8iOi0xLCJTdGFuamFQcmVkbWV0YSI6W10sIk5hY2luaVBsYWNhbmphIjpbXSwiRmlsdGVyIjpbXX0=

is 

{"TrazeniPojam":"","IDGrupa":"307","IDPodGrupa":307,"Prodavac":"","Okruzi":[],"Opstine":[],"CenaOd":-1,"CenaDo":-1,"StanjaPredmeta":[],"NaciniPlacanja":[],"Filter":[]}

so I guess that it's useless to start hiding data on client-side. 所以我想开始在客户端隐藏数据是没有用的。

5 个解决方案

解决方案1
 1 已采纳  2015-01-28 12:07:02

You can encode your data to base64 with atob() and btoa(), and then decode it in the server. 您可以使用atob()和btoa()将数据编码为base64,然后在服务器中对其进行解码。 Be aware that doing this will only obfuscate your code, and won't make it 100% secure. 请注意,这样做只会混淆您的代码,并且不会使其100%安全。

Here's some info about Base64 encoding for JavaScript. 这是有关JavaScript的Base64编码的一些信息。

https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64/Base64_encoding_and_decoding https://developer.mozilla.org/zh-CN/docs/Web/API/WindowBase64/Base64_encoding_and_decoding

解决方案2
 1  2015-01-28 12:08:16

They can change anything on the front end even with this change. 即使有此更改,他们也可以更改前端的任何内容。 Everything sent to the client can be read, including any encryption code you use. 可以读取发送给客户端的所有内容,包括您使用的任何加密代码。 It is harder potentially but you are confusing obfuscation for security . 这可能会更困难,但是您会混淆对安全性的混淆

Obfuscation will not solve the problem. 混淆不会解决问题。

You should make it your priority to get your server side code to validate and sanitise the data that comes from the front end. 您应该优先获取服务器端代码,以验证和清除来自前端的数据。

http://en.wikipedia.org/wiki/Security_through_obscurity http://en.wikipedia.org/wiki/Security_through_obscurity

解决方案3
 1  2015-01-28 12:12:25

You should forget about having sensitive logic on client side and expect to be safe, there is no way to do that. 您应该忘记在客户端使用敏感的逻辑,并期望它是安全的,没有办法做到这一点。

Even in case you "ofuscate" the output, that evil user could put a breakpoint before the ofuscation and change values at will. 即使您“过分”了输出,那个邪恶的用户也可以在过时之前设置一个断点并随意更改值。

If you concern is that someone could change the SenderID then, assuming is valid for your scenario, you could validate on server side that SenderID posted is the same that initiated request. 如果您担心有人可以更改SenderID则在假定对您的方案有效的情况下,您可以在服务器端验证发布的SenderID与发起的请求相同。

解决方案4
 0  2015-01-28 12:07:59

Base64,内容会更长一些,但是得到广泛支持,还有命令行工具可以对其进行解码。

解决方案5
 0  2015-01-28 12:09:40

I think it's safest to just assume that all data from the client is evil and add code on your server to validate and authorize where appropriate. 我认为,仅假设来自客户端的所有数据都是有害的,并在服务器上添加代码以在适当的地方进行验证和授权是最安全的。 You could encode your data and then decode it on the server, but JavaScript encoding/encryption is less useful than you might want. 您可以对数据进行编码,然后在服务器上对其进行解码,但是JavaScript编码/加密的作用不如您想要的有用。 The attacker could always just open the dev console in the browser, inspect your code, and run whichever encryption method you use on their new malicious data. 攻击者总是可以在浏览器中打开开发人员控制台,检查代码,然后对新的恶意数据使用您使用的任何加密方法。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 人类可读的时间javascript / jquery - human readable time javascript/jquery 如何使字符串人类可读? - How to make string human readable? 我怎样才能让我的数组成为 JavaScript 中*漂亮*人类可读的列表? - How can I get my array as a *nice* human readable list in JavaScript? 如何在javascript中将字节格式化为人类可读的文本? - How do I format bytes to human readable text in javascript? 如何使用JavaScript将人类可读的小时数转换为毫秒? - How do I convert human readable hours into milliseconds using javascript? Javascript / jQuery:如何使该AJAX请求运行得更快? - Javascript /jQuery: How can I make this AJAX request run faster? 如何获得人类可以理解的时间到JavaScript时间 - how to get a human readable time to javascript time 如何在Node.js中创建人类可读但机器不可读的文本? - How can I create text that is human readable but not machine readable in Node.js? 如何使用 JQUERY/AJAX 显示包含图片和文本数据的多个数据,这些数据作为对象或数组发送? - How can I show multiple data containing picture and text data with JQUERY/AJAX, which are sent as object or array? 如何将人类可读的数据转换为时间戳(使用JS)? - How to convert human readable data into a timestamp (with JS)?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM