如何防止javascript更改输入值
[英]How to prevent javascript from changing input value
问题描述
I have an array of hidden input boxes that carry especially sensitive data, and the form is submitted to a third party application on click of a button. 
我有一系列隐藏的输入框,其中包含特别敏感的数据,并且只需单击按钮即可将表单提交给第三方应用程序。
The values of these inputs are set server-side. 这些输入的值在服务器端设置。 The page that has these inputs is a confirmation page, and the user clicks the button to confirm the transaction and the data in the hidden input boxes is posted. 具有这些输入的页面是确认页面,用户单击该按钮以确认交易,并且发布隐藏输入框中的数据。
This is inherently very insecure, as anyone with half decent knowledge of javascript could load devtools and use javascript to change the values of the hidden inputs before submitting the data. 这本质上是非常不安全的,因为任何对javascript知识不足的人都可以在提交数据之前加载devtools并使用javascript来更改隐藏输入的值。 The page even conveniently has jQuery loaded! 该页面甚至可以方便地加载jQuery! Ha! 哈! (I tested this myself). (我自己测试过)。
This is running on a private application with a limited user set and hasn't been a problem so far, but the same architecture is now required on a more public space, and the security implications of shipping this would be a little scary. 这是在具有有限用户集的私有应用程序上运行,并且到目前为止还没有出现问题,但现在需要在更公共空间上使用相同的体系结构,并且运输它的安全隐患会有点可怕。
The solution would be to post the data server-side, but server-side posting does not work (at least not in a straightforward way) because of how the third party application is set up. 解决方案是发布数据服务器端,但由于第三方应用程序的设置方式,服务器端发布不起作用(至少不是以直接的方式)。 The alternative would be to somehow prevent javascript (and of course by extension jQuery) from changing the values in the input boxes. 另一种方法是以某种方式阻止javascript(当然还有扩展jQuery)来改变输入框中的值。
I was thinking of implementing (using setInterval) a loop that basically checked if the input values were the same as the original, and if not, changed it back, effectively preventing the values from being changed. 我正在考虑实现(使用setInterval)一个循环,它基本上检查输入值是否与原始值相同,如果没有,则将其更改回来,有效地防止值被更改。
Would my proposed method be easily beatable? 我提出的方法是否容易被击败? Perhaps there is a more elegant and simple way to stop javascript from editing those specific input values? 也许有一种更优雅,更简单的方法来阻止javascript编辑那些特定的输入值?
** EDITS **编辑
For anyone coming here along this path: 对于沿着这条道路来到这里的人:
After multiple considerations, and an inability to sign my data with keys from the third party application, I resorted to manually posting the data server-side from my application (a ruby on rails app). 经过多次考虑,并且无法使用来自第三方应用程序的密钥对我的数据进行签名之后,我尝试从我的应用程序(rails应用程序上的ruby)手动发布数据服务器端。
It may take some fiddling to get the right payment page to display after the posting happens, and I haven't tested it yet, but in theory this will be the way to make sure everything is submitted server side and the user never gets a chance to tamper with it. 发布后可能需要一些摆弄才能显示正确的付款页面,我还没有测试过,但理论上这将是确保一切都在服务器端提交并且用户永远不会有机会的方法篡改它。
For Ruby on Rails apps, there are some good insights at this question . 对于Ruby on Rails应用程序, 这个问题有一些很好的见解。
This answer also shows how to use the hacky autosubmitting form that I mentioned in the comments, but this may be prone to the same vulnerabilities as @dotnetom replied. 这个答案还说明了如何使用我在评论中提到的hacky自动提交表单,但这可能容易出现与@dotnetom回复相同的漏洞。 (See comments) (看评论)
Thanks again to everyone who contributed. 再次感谢所有贡献的人。
4 个解决方案
解决方案1
2 已采纳 2016-03-11 08:41:09
You solution based on the setInterval and other javascript functions will not work. 您基于setInterval和其他JavaScript函数的解决方案将无法正常工作。 Person with a dev tools can easily disable it from the console. 使用开发工具的人可以轻松地从控制台禁用它。 If there is no way to send these parameters from the server, the only option I see is to generate signature with some public key from all the parameters need to be sent. 如果无法从服务器发送这些参数,我看到的唯一选项是生成签名,其中包含需要发送的所有参数的一些公钥。 The third party application can validate this signature and check that parameters are genuine. 第三方应用程序可以验证此签名并检查参数是否为正版。
But again, it is not possible if you have no control over third party application.. 但同样,如果您无法控制第三方应用程序,则无法实现。
See an example from twitter: https://dev.twitter.com/oauth/overview/creating-signatures 请参阅twitter中的示例: https : //dev.twitter.com/oauth/overview/creating-signatures
解决方案2
1 2016-03-11 08:40:39
I was thinking of implementing (using setInterval) a loop that basically checked if the input values were the same as the original, and if not, changed it back, effectively preventing the values from being changed.
Attacker can easily overcome this by 攻击者可以很容易地克服这一点
- overriding the method which is doing this periodic checking. 覆盖正在执行此定期检查的方法。 Check this solution 检查此解决方案
- Setting up a browser extension which can change values after setInterval() has changed it 设置一个浏览器扩展,可以在setInterval()之后更改值
- Disable JS. 禁用JS。
Basically client-side validation is just to ensure that server-side call can be avoided to reduce network trips, it cannot be a final frontier to protect the integrity of your data . 基本上,客户端验证只是为了确保可以避免服务器端调用以减少网络跳闸, 它不能成为保护数据完整性的最终前沿 。 It can only be done on server-side, which is an environment user cannot manipulate. 它只能在服务器端完成,这是用户无法操作的环境。
解决方案3
1 2016-03-11 08:41:10
If someone wanted to change the value of those input fields, they could just disable JS (and in this way get around your checking algorithm) and update the input values inside the HTML. 如果有人想要更改这些输入字段的值,他们可以只禁用JS(以这种方式绕过您的检查算法)并更新HTML中的输入值。
This can quite easily be done with FireBug, for example. 例如,使用FireBug可以很容易地完成此操作。 No JS needed. 不需要JS。
If sensitive data is involved, there will probably be no way to get around server-side posting or at least server-side validation. 如果涉及敏感数据,则可能无法绕过服务器端发布或至少服务器端验证。
解决方案4
1 2016-07-02 21:59:47
I know this is an older post, but it piqued my interest because of related (but not the same) issues with javascript security. 我知道这是一个较旧的帖子,但它引起了我的兴趣,因为javascript安全性的相关(但不是相同)问题。
Just thinking about the logic of a solution for the OP, and assuming I understood correctly... 只考虑OP的解决方案的逻辑,并假设我理解正确...
The server sets the vals, the user confirms, and the confirm goes to a 3rd party. 服务器设置val,用户确认,并确认进入第三方。 The problem is that the vals could be edited before post to the 3rd party. 问题是可以在发布到第三方之前编辑val。
In which case, a possible workable solution would be; 在这种情况下,可能的解决方案是:
- Store the vals on the originating server with a unique ID 使用唯一ID将val存储在原始服务器上
- Send the confirmation back to the originating server for validation 将确认发送回原始服务器以进行验证
- Originating server forwards to the 3rd party if validation = true 如果validation = true,则原始服务器转发到第三方
In the event the 3rd party needs to send data back to the user, and it is not possible to let the server act as a go between, (which really it should) then you are a bit compromised. 如果第三方需要将数据发送回用户,并且不可能让服务器充当它之间(实际上它应该),那么你就会受到一些损害。
You can still send data back to originating server with an AJAX type true fale response to the user. 您仍然可以使用对用户的AJAX类型true fale响应将数据发送回原始服务器。
Obviously, a malicious user could intercept the AJAX response using javascript edits but, (assuming the 3rd party app is looking for some kind of user ID), you would flag that ID as invalid and alert the 3rd party app before the AJAX response is delivered to the user. 显然,恶意用户可以使用javascript编辑拦截AJAX响应,但是(假设第三方应用正在寻找某种用户ID),您会将该ID标记为无效并在发送AJAX响应之前提醒第三方应用给用户。
otoh, hidden input boxes asside, the bigger consideration should be manipulation of the client side javascript itself. otoh,隐藏输入框的帮助,更大的考虑应该是操纵客户端javascript本身。
One should have a validation wrapper for any sensitive functions or variables, to ensure those have not been modified. 对于任何敏感函数或变量,应该有一个验证包装器,以确保它们没有被修改。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.