stackoom
  简体   繁体   中英

How do I prevent jQuery calls from console for my SignalR Chat?

 原文  2015-10-15 19:08:50       javascript/ c#/ jquery/ signalr/ chat

Question

I have a SignalR chat site that's meant for a school project (also uses C#). Theoretically, it is for trusted users, but as everyone will attest - never trust your users. This was proven to me as I sent out the link to a couple of my friends and they immediately tried to break it, ha ha.

I've sanitized all inputs properly now, but one thing that they were still able to do was to use the browser console tools to manually call the functions needed to send messages, etc..

Example: $.connection.chatHub.server.sendMessageToAll('FakeUser','FakeMsg',0);

I would like to prevent these types of actions. I recall a while back Facebook actually disabled the console window for "security" purposes. I even found several{1} resources{2} , which detail how this was done and attempts to further prevent console use once Chrome had fixed this.

However, none of these options work anymore and because browsers are constantly in flux, I'd rather not attempt to block at this level.

I was wondering if anyone on Stack knows of a better way to prevent these types of attacks? Is there a good way to check where the call is coming from? Does SignalR have a good method to prevent this? Ideas/Discussion would be surely welcome.

1 answers

solution1
 1  2015-10-15 19:19:09

Trying to lock down the client like that might work reasonably well to prevent non-technical users from messing with your app, but it will do next to nothing against a knowledgeable and resourceful opponent. The circumstances under which such security measures make sense are rather limited, and certainly do not include any application that is accessible to everyone from the internet.

The only safe approach is well-known and very simple: the server does not trust the client for anything . It doesn't then matter what the client attempts to do as the server will refuse all actions it does not deem valid.

In your example, the server would assign a randomized opaque connection id to each session. The client would only be able to convince the server to do anything if they sent a valid id as part of their request; then, the server would not need to trust the client for a username because it would already know what connection each user has logged in from and could produce the username when given the id.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I prevent JQuery animate calls from getting queued up? How do I prevent my node.js error middleware function from failing on subsequent function calls? How do I send a message to an offline user in a SignalR chat program? How do I prevent my smooth-scroll jquery function from modifying the contents of my div elements? How do I prevent a jQuery extend deep copy from copying some of my custom properties? How do I prevent my decimals to be erased in Jquery? How can I prevent a jQuery plugin from changing my DOM? How do I prevent a jQuery Selector from including nested elements? How do I prevent Google Chrome from blocking my popup? How do I prevent my setInterval() from multiplying?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM