Optimistic about your portal-data transmission on the client-insecure hidden form fields

Optimistic about your portal-data transmission on the client-insecure hidden form fields

1. Simple Description

Applications usually send data to the server in a way that the end user cannot directly view or modify. In many cases, developers give priority to basic effects, but seldom consider the transmission mechanism we adopt to ensure that data will not be modified during transmission.

If a special data is specified by the server, the client will output this value, and finally pass the value back to the server for processing. Most of the time, we directly process it as a parameter. For example, if the price of a product is Huawei mobile phone P7, the product name and price are obtained from the server; it is displayed to the user. After the user buys a mobile phone, the name and price will be sent back to the server.

-2. Advantages:

You do not need to track the data in user sessions, reduce the data that is maintained on the server, and improve the server processing performance;

In large systems, Server Load balancer is used to reduce the pressure on Server Load balancer devices;

Reduce the complexity of other components;

Other advantages...

-3. Hide form fields

Hiding form fields is a good way to implement back-and-forth data transmission. For many years, I first came into contact with hidden fields, which is really convenient to use.

It is a common mechanism that seems unmodifiable and transmits data through the client. Because the data is hidden, the user will not see the data until one day, someone else opens your door...

Some shopping websites also do this by hiding fields to keep the prices of goods. This is a common practice in the past. I'm not sure if it disappears...

-4. Hide the source code of the form field

Hide_price.jsp <% @ page language = "java" import = "java. util. *" pageEncoding = "UTF-8" %> <! Doctype html public "-// W3C // dtd html 4.01 Transitional // EN"> 
-5. Attacked
Although the price field is not displayed on the screen, it seems that the user cannot modify it. However, all the final operations on the client are user-controlled, and you can unbind this restriction by editing the price.
1. The simplest method is to save the source code of the html page, edit the value field, open the page in a browser, and then purchase the page.
2. directly modify the data by intercepting the server.