Security issues in Web development

Many things in web development are judged by the previous paragraph, such as the common mailbox phone number, the front end is not a correct format, when you click submit prompt you to fill the wrong format, and then do not request back-end PHP, until you fill in the correct format. This can actually modify JS or simply use the Python inside the HTTP request library such as requests directly request the interface, then you can successfully submit the wrong things to the backend and then stored in the database, then this is not very good.

If the system is not important, use a few people, you can reluctantly let this point.

But some very important systems, especially those involving the interface of money, the backend must also be done to verify. Otherwise, some people use loopholes to break the rules, resulting in money loss and errors.

For example, the following is a change in the cost of the waybill, the business requirements of the system is in the waybill created but not yet dispatched this time, this fee can be modified, if the shipment is a scheduled state, it is not allowed to modify the cost.

System implementation This is the front-end in accordance with the return of PHP, to determine the status of a waybill is scheduled state, with JS to the input box is set to Disabled, at this time is commonly used browser is this input box input can not anything, but if you know the point of the front, you may use F12 to locate the element, Remove the disabled so that you can revise the cost.

Or use the browser to click Save this button to grab a bag, with requests in accordance with the interface and parameters to grab the PHP interface, you can change the cost of related fields to other, so that you can bypass the front-end restrictions on you.

Grab the bag is a base64 format, it is easy to see features to be a base64. The captured base64 decoding can see a clear text json, the JSON to modify the number after the Base64 encryption, and then request the interface can be successfully modified fees.

Grab the package to get the parameters:

Eyjvcezyb20ioiixiiwidxnlck5hbwuioijhzg1pbiisinbzzf92ijoimyisinn1chbsawvyq29tcgfuesi6ijuxiiwichjlzgljdefycml2zurhdguioiiym de2ltewltiwiiwizhjpdmvysuqioiizmiisinzlagljbgvjrci6ije0iiwizglzcgf0y2hotyi6iuiwg+w6puwpt+w+iomvv+w+iow+iomvv+ Eahgfhywexmtexmteilcjkaxnwyxrjaenoyxjnzxmioii1ljawiiwicgfja0noyxjnzxmioiiwljawiiwiagfuzgxpbmddagfyz2vzijoimi4ymiisimzvcmt Sawz0q2hhcmdlcyi6ijaumdailcjvdghlcknoyxjnzxmioii0ljq0iiwic2v0dgxlvhlwzsi6ijmilcjzzxr0bgvtdgf0dxmioiiwiiwizglzcgf0y2hub3rh Benoyxjnzxmioiixms42niisinbhawreaxnwyxrjafrvdgfsq2hhcmdlcyi6ijyunjyilcjyzwnlaxzhymxls2lja2jhy2sioii5ljk5iiwicgfpzetpy2tiy Wnrijoioc4wmcisinnldhrszxiioiixiiwicmvtyxjrijoi5ash5roo5lil5zoiiiwibwv0ag9kijoibw9kawz5x2rpc3bhdgnoiiwid2f5ymlsbeleijoimt EyOSJ9

Base64 the parameters obtained after decoding (assuming value):

{"Opfrom": "1", "UserName": "admin", "Psd_v": "3", "Suppliercompany": "Wuyi", "predictarrivedate": "2016-10-20", "DriverID ":", "Vehicleid": "+", "Dispatchno": "The dispatch number is very long and very long aaaa111111", "Dispatchcharges": "5.00", "Packcharges": "0.00", " Handlingcharges ":" 2.22 "," Forkliftcharges ":" 0.00 "," Othercharges ":" 4.44 "," Settletype ":" 3 "," Settlestatus ":" 0 "," Dispatchtotalcharges ":" 11.66 "," paiddispatchtotalcharges ":" 6.66 "," Receivablekickback ":" 9.99 "," Paidkickback ":" 8.00 "," Settler ":" 1 "," remark ":" Notes Under Ha "," Method ":" Modify_dispatch "," Waybillid ":" 1129 "}

Python code

Import Requests,base64

Print Requests.psot (Url,data=base64.b64encode (value)). Content

Can see return Errcode 0, the description of success, and then go to the Web page to see the waybill, the results of the cost can also be seen to be modified.

This will result in errors at the end of the monthly statistical cost.

Security issues in Web development