Watch your door.-Client data (10)-Unsafe HTML Disable element

The first thing to declare is that this article is purely an ignorant view of a little developer without foresight and knowledge, and is intended only for reference in Web system security.

1. Brief description

Continue to tell the story, one day the product manager planned a plan to engage in a promotion. A user can only use one egg coupon at a time.
The developer needs to make modifications and adjustments to the system.
Let's make up our minds, the traditional industry to engage in Internet e-commerce scene:
Product Manager: Quickly change, hurry up, get on with the activity
Operations Manager: Version upgrade, submit on-line evaluation report, Risk test Report, System test report, and you are responsible for leading signature documents ... ；
Developer A: Rely on, Lao Tzu from 9 to 9 o'clock in the morning, but also I have to write so many reports, let me think there is such a good way ...
Developer B: Limit on HTML forms, buy once and then disable;
Developer A: This is a good idea, as long as the modification of HTML, not version upgrade;
Development manager: Brothers, hurriedly develop;
... (Elements are disabled using HTML)
Testers: Test Well, a person can only use once the egg coupon, used up on the gray, I can no longer use, to achieve the goal.
Development Manager: Submit Online
...

2. Use HTML to disable elements

Using a later page, confirm that the purchase button is grayed out.

<%@ page language="java" import="java.util.*" pageencoding= "UTF-8"%><! DOCTYPE HTML PUBLIC "-//w3c//dtd HTML 4.01 transitional//en" ><html><head><title>Watch your door,-ah, classmate.</title></head><body>    <form Action="Ashopprice.action" method="POST" name="Form1 " ">Item: Egg coupon, can only be used once<br>You have used one<br>    <input type="Submit" value="Confirm Purchase" disabled=" True "/>     </form></body></html>

No matter how I point it, the button is grey.

3. Being attacked

Eh, accidentally, was attacked again ...
1, the simplest method, such as using Proxy server interception after modification, directly let Disabled=false or remove this attribute;
2, for example, we keep this page down, with the review element function found: Disabled=true Modify the element attributes, remove the code, so that validation is invalid, and then more than a few eggs coupons to play it.

4. Thinking about the elements on HTML disable

1, the element is disabled as if the current use is not many, but as long as the server to take the same or even more stringent confirmation mechanism, this application is more difficult to attack;
2, because the user input can bring a variety of problems, this method can be the user inadvertently filter out, can reduce network traffic and server burden, so this method is used or used.

Watch your door.-Client data (10)-Unsafe HTML Disable element