stackoom
  简体   繁体   中英

Can a malicious user on a web application manipulate the inputs (beside the form data) that is sent by the front-end of web application?

 原文  2011-03-02 13:08:52       java/ php/ security/ browser

Question

Are there any possible ways by which a malicious user on a web application can manipulate the input that is sent by the front-end of web application (not talking about the FORM DATA, of course) but the requests that are sent like for eg, when I allow him to edit his profile or his content, he may manipulate the IDs (userId or the contentId) so that he may maliciously do evil with other users content? These inputs are fixed on a webpage & are not editable but still can the users manipulate them?

Is it possible that users may do harm in this manner? How can I safeguard my application against this? Besides, verifying user's identity and his contents/properties on the application prior to allowing each of his actions.

2 answers

solution1
 8 ACCPTED  2011-03-02 13:10:39

Yes of course. Anything that comes from the client can be modified and cannot be trusted at all .

You need to do server-side checks if the user is editing his own profile or something he's allowed to edit.

For things like editing the profile you could simply use the userid stored in his session though (assuming it's secure, ie stored server-side or in cryptographically signed cookies). Only let data go through the client if it's necessary - if the data is already available on the server, you don't even have to give the user the feeling that he might be able to tamper with it. Even though it could be used as a honey-pot - but that's not really the purpose of most webapps...

solution2
 2  2011-03-02 13:11:35

Yes, it is possible and it is a real danger.

There are two things you can do:

  1. Implement an access control / permission system which controls which data records a user can access or modify.
  2. Store information that is none of their business in a session object on the server.

(By the way, these are not exclusive options, ideally you should do both.)

Both solutions still leave you prone to session hijacking though, which is a different, more global problem.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question In a Spring Web MVC application - how do we break up the architecture into Front-end & Back-end? Build a front-end web how to implement pagination front-end in spring boot web application using jsp PHP front-end and Java back-end for a web app? Advice on using one application as a front-end for logging into another application Realtime data replication from DataBase to front end in java based web application Building a new Application: Java jax-rs ee6 restful web service with a html5 front-end using backbone.js How do Java REST calls relate to the front end of a Web Application? Front-End Testing using Selenium WebDriver in Spring MVC Application How to allow interaction between Java application and user front Web interface
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM