Home > Others

07-Do not trust the client

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Client authentication is not a substitute for server-side validation

L Set withdrawal amount cannot exceed 100 yuan
• Client: <form
Onsubmit= "if (parseint (document.getElementById (' TextBox1 '). Value
, >100) {alert (' up to 100 yuan withdrawals '); return false;} " >
Users can send HTTP requests directly to the server (for example, directly in the address bar to construct
jquerystring) bypasses client browser checks to do bad things.
L client check is for a good client experience, server-side check is the last time,
Prevent malicious requests. One cannot be less. jquery validator+ server-side check is good
The development model

Remember, the data can be changed.

L The client is hidden, not displayed, and not necessarily secure. Don't trust users to submit
Data: For example, control some data can be deleted, some can not delete, if just hide
The data that cannot be deleted, and the ID is passed as a parameter, there may be a problem. Example
L HTTP message useragent, Referer, cookies, etc. can be false, not
Believe the data that could be falsified.

ValidateRequest
L asp.net4.0 will verify the requested data by default in ASHX detection if there is < in the data
, > and other characters with potential XSS attacks will be error-aware. For some CMS systems and so do need to submit
HTML content where to close it, modify the Web. config, add in the <system.web> node
Add validaterequest= "false" to the page at the top of the screen.
L Such a function can only be opened to the website editor, system administrator and other credible people, for ordinary users can not open
Put Why? What is XSS, based on a previously developed message board project to experiment with XSS (cross-site scripting,
Cross-site scripting)
Exploit 1: message box to send prizes.
Exploit 2: Collect account number, password

Use of CKEditor

L put in js/ckeditor files except _samples, _source, *.php, *.asp.
Clamp down.
L Reference ckeditor.js in page
The location of the editor in the page uses textarea, either in the page onload or in the
TextArea after Ckeditor.replace (TEXTAREA1);
L principle?

07-Do not trust the client

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More