Optimistic about your portal-data transmission on the client-insecure URL parameters

Source: Internet
Author: User

Optimistic about your portal-data transmission on the client-insecure URL parameters
1. Simple Description: applications generally send data to the server in a way that the end user cannot directly view or modify. In many cases, developers give priority to basic effects, but seldom consider the transmission mechanism we adopt to ensure that data will not be modified during transmission. In the Internet, a large amount of data is transmitted through URL parameters. Most of the data is not transmitted through encryption. As I have learned, most of the data is carried out in plaintext... 2. Advantage: you do not need to track the data in user sessions, reduce the data that is maintained on the server, and improve the server processing performance. In large systems, Server Load balancer is used, it also reduces the Load Balancing Device pressure, reduces the complexity of other components, and facilitates development and joint debugging. Other advantages... 3. When the URL parameter is passed to the user's browsing product directory, the system usually assigns a URL to the user, similar to the following: http://127.0.0.1:8080/webStudy/url.jsp?price=2199&code=p7 Of course, if the URL containing the parameter is displayed in the browser address bar, many people know that this seems unsafe. Of course, we also need to believe that there must be a few such cases. In many cases, we do not want users to directly view them. We will use some other methods, for example, the system uses a pop-up window or a hidden browser address to implement a highly secure approach. Some shopping websites also do this by hiding fields to keep the prices of goods. This is a common practice in the past. I'm not sure if it disappears... 4. Source Code URL passed through url parameters. jsp <% @ page language = "java" import = "java. util ., javax. servlet. http. "pageEncoding =" UTF-8 "%> login successful, welcome from <% = (String) request. getRemoteAddr () %>. You have purchased a Huawei mobile phone and the model is: <% = (String) request. getParameter ("code") %> unit price <% = (String) request. getParameter ("price") %> enter: http://127.0.0.1:8080/webStudy/url.jsp?price=2199&code=p7 Display: Login successful. Welcome to 127.0.0.1. I purchased a Huawei mobile phone with the unit price of p7 of 2199. 5. Although the price field is not displayed on the screen, it seems that the user cannot modify it. However, all the final operations on the client are user-controlled, and you can unbind this restriction by editing the price.
1. In the simplest way, right-click to get the hidden URL parameter, modify the parameter, and load it into the browser. Then the result changes. For example: http: // 127.0.0.1: 8080/webStudy/url. jsp? Price = 122 & code = p7 2. directly modify the data by blocking the server.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.