stackoom
  简体   繁体   中英

Is there a way to send Websocket messages through browser console? (SECURITY question)

 原文  2019-12-13 19:35:24       javascript/ websocket/ socket.io

Question

First of all, I am quite new to Websockets(Socket.io) therefore I have a security-type question.

Is it there a way that someone can send a message towards my Websocket server through browser developer console?

To me, this question matters a lot for the security of my website. If a client can write JavaScript code in his browser console, and send a successful websocket message, I shall change a lot of my current code that I have already done.

In AJAX, you can make XMLHttpRequest object and send it without any problem if you know where the url should be pointed at. Example:

var request = new XMLHttpRequest(),
        url = 'url_of_.php_file',
        data = 'somedata=123';
    request.onreadystatechange = function() {
        if (this.readyState == 4 && this.status == 200) {

            console.log("The request and response was successful!");
       }
    };

    request.open('POST', url, true);
    request.setRequestHeader('Content-type', 'application/x-www-form-urlencoded; charset=UTF-8');
    request.send(data);

If a client does something like this to on my website, will he be able to send message through my websocket without my permission?(If my idea is wrong, please write legit code for doing so)

.......socket implementation.........

    mywebsocket.emit('send_money','230.000');

1 answers

solution1
 1 ACCPTED  2019-12-13 21:29:34

Is there a way to send Websocket messages through browser console?

Absolutely. You can use the developer tools in almost any web browser to find the socket object and call its functions or modify it from the console. And this goes for any javascript object that exists locally in the client's browser.

Obfuscation can only be used to deter a less determined user from tampering with your client. It doesn't actually prevent the user from accessing those functions and variables.

If a client does something like this to on my website, will he be able to send message through my websocket without my permission?

Simply opening a websocket to the client is implicitly giving permission for the client to send anything to your server. So,

Never trust the client.

If you are allowing the client to determine anything of importance locally, you should assume that a savvy opponent will abuse or circumvent that client-side decision. Such as in your example, they could send more money than they actually have, or maybe even negative money!

Your server needs to be capable of handling any data that comes in on that connection, from incoherent garbage to attempted exploits. So always validate that messages sent from the clients are legal using server-side logic. This is the only place where it makes sense to implement your rules or permissions, since everything in the client code is open to tampering.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question WebAssembly in the browser security question Is there a way to get any console messages from Edge browser either through a remote debugging protocol or by starting it via the command line? Websocket - browser websocket is not receiving messages from server Is there a way to send a TCP request to the client through the browser? Is there a way to test CSP (Content-Security-Protocols) through browser settings? Express (Node) - Right way to send error messages through middleware cycle Intercepting web browser console messages Show console messages on Android browser Descriminating between text and binary websocket messages in the browser console log messages not being shown in browser console
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM