堆栈内存溢出
  简体   繁体   English

Angular 6-HTTP响应/可变篡改

[英]Angular 6 - HTTP response / variable tampering

 原文  2019-02-25 16:09:43       javascript/ angular/ security

问题描述

I developed an application using the MEAN stack, where a user can signup and login. 我使用MEAN堆栈开发了一个应用程序,用户可以在其中注册和登录。 When a user returns to the application after some time, I can recognize it using Express Session, but I want him to confirm its identity by typing the password (or a PIN) before giving access to the application. 一段时间后,当用户返回到应用程序时,我可以使用Express Session识别它,但是我希望他通过在允许访问该应用程序之前输入密码(或PIN)来确认其身份。

So I make an HTTP call to an API (passing the password or pin) that will either return true or false to allow access to that page. 因此,我对API进行了HTTP调用(通过密码或密码),该API将返回truefalse以允许访问该页面。

  • Is it possible that someone intercepts the HTTP call (eg via DevTools), intercept the returned value and edit it, effectively bypassing the security check? 有人可以拦截HTTP调用(例如通过DevTools),拦截返回的值并对其进行编辑,从而有效地绕过安全检查吗?
  • Or even intercept the router variable and force a navigation to a specific page (not available otherwise)? 甚至拦截路由器变量并强制导航到特定页面(否则无法使用)?
  • Does Angular have in-built securities to prevent this, or do I have to implement it myself (in this case, what is the best practice)? Angular是否有内置证券来防止这种情况发生,还是我必须自己实施(在这种情况下,最佳实践是什么)?

Thank you so much! 非常感谢!

EDIT: As @bsheps pointed out, implementing AuthGuard solved the second point, about manually modifying routes to access reserved pages. 编辑:正如@bsheps所指出的,实现AuthGuard解决了第二点,关于手动修改路由以访问保留页面。
I still have to find an answer about the first point. 我仍然必须找到关于第一点的答案。 Even when calling an HTTPS endpoint, can someone debug the code and the network requests to edit the response received from the server? 即使在调用HTTPS端点时,也可以有人调试代码和网络请求来编辑从服务器收到的响应吗?

1 个解决方案

解决方案1
 1 已采纳  2019-02-26 14:05:18

  • About HTTP security: 关于HTTP安全性:

HTTP is written in plaintext and not secure. HTTP是用纯文本编写的,并不安全。 If someone intercepts your communication (Man in the middle attack), they can read your password/pin in plaintext. 如果有人拦截了您的通讯(中间人攻击),他们可以用明文读取您的密码/密码。 Additionally, they could also edit it since it is plaintext. 此外,由于它是纯文本,因此他们也可以对其进行编辑。 For this reason passwords should be sent via HTTPS. 因此,应该通过HTTPS发送密码。

  • About angular router security: 关于角度路由器安全性:

It is possible to manipulate the routes in the URL. 可以操纵URL中的路由。 To combat this, you can setup an authGuard for your application that will verify the login before directing to specific pages. 为了解决这个问题,您可以为您的应用程序设置一个authGuard,它将在定向到特定页面之前验证登录名。

Here is a straight forward example to get you started: https://alligator.io/angular/route-guards/ 以下是直接入门的示例: https : //alligator.io/angular/route-guards/

Hope this helps! 希望这可以帮助!

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 http响应的角度局部变量绑定 - angular local variable binding from http response 带$ http响应的角度过滤器 - Angular filter with $http response $ http响应中的Angular指令 - Angular directives in $http response Angular 1-解析$ http响应 - Angular 1 - parsing an $http response Angular 4 http不返回响应 - Angular 4 http not returning response 将响应映射到可变角度5 - Mapping the response to a variable angular 5 角度控制器和http变量 - angular controller and http variable Angular HTTP响应长度未定义 - Angular http response length undefined Angular Service - 返回http响应 - Angular Service - Return http response http响应中的角度异常行为 - Angular strange behavior in http response
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM