简体繁体 English

在 jQuery ajax 请求中保护和/或加密（隐藏）POST 变量

[英]Securing and/or encrypting (hiding) POST variables in a jQuery ajax request

原文 2011-03-16 14:53:48 5 6 php/ javascript/ jquery/ security

I have an invite form on a web application I am working on.我正在处理的 Web 应用程序上有一个邀请表。 This invite form requires the user to select an email account and then enter a username and a password.此邀请表要求用户选择一个电子邮件帐户，然后输入用户名和密码。 These details are sent as POST variables via an ajax request using jQuery.这些详细信息通过使用 jQuery 的 ajax 请求作为 POST 变量发送。 The problem is that I can see the entered password (as well as other POST variables) in plain text using mozilla plugin FireBug.问题是我可以使用 mozilla 插件 FireBug 以纯文本形式查看输入的密码（以及其他 POST 变量）。

I believe being able to see the password in plain text (in Firebug) is not ideal.我相信能够以纯文本形式（在 Firebug 中）看到密码并不理想。 Is there anyway I can prevent this?无论如何我可以防止这种情况吗？ I tried making the ajax call FROM a page served over HTTPS and made the request over HTTPS as well but I can still see all the POST variables in plain text in Firebug.我尝试从通过 HTTPS 提供服务的页面进行 ajax 调用，并通过 HTTPS 发出请求，但我仍然可以在 Firebug 中以纯文本形式看到所有 POST 变量。

Is there some way I could encrypt these variables client-side and then decrypt them on the server-side?有什么方法可以在客户端加密这些变量，然后在服务器端解密它们？ Or is there some other solution?或者有其他解决方案吗？

6 个解决方案

If you're using HTTPS, there's no need to worry (as long as HTTPS is properly setup, but this isn't relevant to this question).如果您使用的是 HTTPS，则无需担心（只要正确设置了 HTTPS，但这与此问题无关）。

You can see the values in Firebug because Firebug can see the headers sent by your browser, but no one except the browser can read these data.您可以在 Firebug 中看到这些值，因为 Firebug 可以看到您的浏览器发送的标头，但除了浏览器之外没有人可以读取这些数据。

Actually, you can't hide the value from Firebug, because the browser has to know what to send and Firebug can access everything your browser can .实际上，您无法对 Firebug 隐藏该值，因为浏览器必须知道要发送什么，而Firebug 可以访问浏览器所能访问的所有内容。

You will always be able to see all of your variables in Firebug.您将始终能够在 Firebug 中看到所有变量。 It only means that anyone would only see his own password if he uses Firebug so it is not a vulnerability.这仅意味着任何人只有在使用 Firebug 时才能看到他自己的密码，因此这不是漏洞。

Don't reinvent the TLS/SSL.不要重新发明 TLS/SSL。 Just use HTTPS and it will do just that: encrypt these variables client-side and then decrypt them on the server-side.只需使用 HTTPS，它就会做到这一点：在客户端加密这些变量，然后在服务器端解密它们。

May be this page will help: http://www.jcryption.org可能这个页面会有所帮助： http : //www.jcryption.org

This library allow to encrypt the data & send using ajax get/post, as variables are encrypted, it very hard to guess the data.该库允许使用 ajax get/post 加密数据并发送，因为变量是加密的，所以很难猜测数据。

Library use public/private key concept with openssl.图书馆在 openssl 中使用公钥/私钥概念。

I hope this will be helpful for someone我希望这对某人有帮助

You are using Firebug at client side for testing and if you are using HTTPS to send post data so that will be in encrypted form while sending to the server so you don't have to worry there isn't possibility of middle-man sniffing attack to retrive the password in plain text if you are using HTTPS.您在客户端使用 Firebug 进行测试，并且如果您使用 HTTPS 发送发布数据，以便在发送到服务器时以加密形式发送数据，因此您不必担心中间人嗅探攻击的可能性如果您使用 HTTPS，则以纯文本形式检索密码。

You can see the password field in firebug because its on client side browser and all the data are visible to you as a developer.您可以在 firebug 中看到密码字段，因为它在客户端浏览器中，并且作为开发人员，您可以看到所有数据。

Your variables are encrypted for a tool or software which behaves like as man-in-the-middle.您的变量已针对行为类似于中间人的工具或软件进行了加密。 Your browser or browser plugin like firebug or google chromes network request and response monitoring panel doesn't behaves as man-in-the-middle.您的浏览器或浏览器插件（如 firebug 或 google chromes 网络请求和响应监控面板）的行为与中间人不同。 Rather they are valid client who has the key to decrypt response from server or encrypt the data before sending to server.相反，它们是有效的客户端，拥有解密来自服务器的响应或在发送到服务器之前加密数据的密钥。

If you wish to test whether your data are encrypted or not you can use a tool like fiddler or charles as web debugging proxy.如果你想测试你的数据是否被加密，你可以使用像 fiddler 或 charles 这样的工具作为网络调试代理。 Through these tools you can easily see the data going to the https server and response from the server is encrypted.通过这些工具，您可以轻松查看到 https 服务器的数据，并且来自服务器的响应已加密。

I prefer using jsencrypt :我更喜欢使用jsencrypt ：

You can Encrypt all input fields & post data before send Ajax using public key.您可以在使用公钥发送 Ajax之前加密所有输入字段并发布数据。 Then Decrypt it server-side with private key.然后用私钥在服务器端解密它。

Note :To improve security it's better to sign(using jsencrypt) the Hashed content(using ex: cryptojs ) to achieve Better security.注意：为了提高安全性，最好签署（使用 jsencrypt）散列内容（使用 ex: cryptojs ）以实现更好的安全性。

Hope to be helpful,希望有所帮助，