堆栈内存溢出
  简体   繁体   English

如何防止修改AJAX请求

[英]How to prevent modifying AJAX request

 原文  2018-01-03 22:42:17       javascript/ ajax/ security

问题描述

Does anybody have any idea how to prevent AJAX request hijacking / modifying? 有谁知道如何防止AJAX请求劫持/修改?

As javascript is public in website source, is it possible to manipulate the sent data, fi ?. 由于javascript在网站源代码中是公开的,因此可以操纵发送的数据fi吗? 

$.ajax({
    url: endpoint/url,
    data: {
        id: 523658,
        fragile_data: 'it should stay constant'
    }
});

2 个解决方案

解决方案1
 3  2018-01-03 23:02:30

Since you have no control over the client side, never trust the client side . 由于您无法控制客户端,因此请不要信任客户端
All you can (and have to) do is to validate data on the server side and probably to authenticate users. 您所能(且必须要做的)是在服务器端验证数据并可能对用户进行身份验证。

解决方案2
 0  2018-01-04 09:54:55

There isn't a way 没有办法

As part of standard security principle, you should always assume that any information coming from the client cannot be trusted. 作为标准安全性原则的一部分,您应始终假定来自客户端的任何信息均不可信任。 It must first be passed through a filter and checked to make sure it meets a certain specification. 它必须首先通过过滤器并进行检查,以确保它符合特定的规范。 For example, if you ask for an email address and password, you should always encode the field before sending and then check the field server-side to be sure it actually meets an email address syntax. 例如,如果您要求提供电子邮件地址和密码,则应始终在发送之前对字段进行编码,然后检查字段服务器端以确保它实际上符合电子邮件地址语法。 You should also trim it of any extra characters so that you don't fall victim to one of the classic blunders such as 您还应该修剪掉所有多余的字符,以免成为经典错误之一的受害者,例如 

test.user@email.com"; DROP TABLE Users; --

The same applies to AJAX requests. 这同样适用于AJAX请求。 Always sanitise your inputs and always check that any IDs coming back are legitimate (and possible match to a lookup item if they are supposed to). 始终清理您的输入,并始终检查返回的所有ID是否合法(如果可以的话,还可以与查找项匹配)。

If you are short on time , there are a bunch of external plugins or frameworks you can get that are free and open source to help prevent attacks on fields such as client-side validators (make sure an email is in a field before it's submitted etc.) as well as checking items server-side to prevent against XSS and SQLi attacks and the likes of. 如果时间不多,您可以获取大量免费且开源的外部插件或框架,以帮助防止对客户端验证程序等字段的攻击(确保电子邮件在提交之前已在字段中,等等) 。)以及检查服务器端的项目,以防止XSS和SQLi攻击等。 These plugins won't be perfect, but they'll do a large portion of the work for you and allow you to speed up the process a little 这些插件并不是完美的,但是它们会为您完成大部分工作,并允许您稍微加快速度

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何防止多个Ajax请求? - How to prevent Multiple Ajax request? 另一个ajax请求正在处理时如何防止发送ajax请求? - how to prevent to send ajax request while another ajax request is processing? 修改Geonames的JSON Ajax请求 - Modifying JSON Ajax Request for Geonames 如何防止php中的两个单独的Ajax调用修改同一数据库 - how to prevent two separate ajax calls in php from modifying the same database 在请求期间修改jQuery $ .ajax()成功方法 - Modifying jQuery $.ajax() success method during request 修改jQuery ajax请求连接头 - Modifying jQuery ajax request Connection header 如何使用此ajax请求防止数据丢失 - How to prevent data from being lost with this ajax request 如何防止 ajax 请求在 iphone 上被取消? - How to prevent ajax request from being canceled on iphone? 发出Ajax请求时如何防止用户与页面交互 - How to prevent user from interacting with the page when making an ajax request 如何防止加载此ajax请求中的所有数据? - How to prevent to load load all data in this ajax request?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM