Billy Hoffman and Bryan Sullivan from SPI Dynamics gave one of the more entertaining talks today. The title is an allusion to peoples willingness to apply new technology before they fully understand it. Instead of laughing at silly web 2.0 developers they decided to build their own AJAXified website by consulting the resources that any programmer would: AJAX books, blogs, and forums. What they ended up with was hackervactations.com... a security hole riddled gem built on good intentions.
For their presentation they demonstrated how easily you could hammer on the site using something like Firebug. Any piece of code on the client side can't be trusted. You can throw in a break point anywhere and manipulate any variable. So if something like the ticket price is stored locally, you can modify it before it gets debited. We learned long ago not to do this in HTML forms, but it's the same problem all over again disguised by new technology.
Another common practice is dumping all of the functions into one common.js file. Find something like an admin function and you can call that from anywhere. You could also create a race condition. Say one function adds an item and updates the cart total; the other debits your account and ships the order. If you call the two functions with a slight offset you could interleave their actions: add an item to your cart, debit the 0 total from your account, update it with actual total, and ship the item.
Their last example involved trusting the client to do final data formatting. Using two GET requests they were able to dump the entire database. In a JSON object they could add as many SQL queries as they want without having to worry about matching the number of arguments like you would in standard injection.
There were a couple final thoughts: These problems stem from putting too much trust in the client. That doesn't bode well for offline technologies like Google Gears where everything has to be on the client or Silverlight which makes it difficult to know whether your code is going to the client or the server. Lastly, if you're worried about premature AJAX-ulation, abstinence may be the best solution.
转自: http://www.hackaday.com/2007/08/02/black-hat-2007-premature-ajax-ulation/
中文参考文档: http://tech.techweb.com.cn/redirect.php?tid=197737&goto=lastpost
分享到:
- 2007-08-19 12:56
- 浏览 1179
- 评论(0)
- 论坛回复 / 浏览 (0 / 1661)
- 查看更多
相关推荐
"SMART 200系列地址库:灵活配置的位读写系统",SMART 200 寻址-库 6个子 位:一个读,一个写 读:例如 读取从V0.0开始的第N个位的状态 写:例如 将值写入V0.0开始的第N个位中 起始地址和第几个位都可自定义 字节:读写一体,引脚控制读或写 字:读写一体,引脚控制读或写 双字:读写一体,引脚控制读或写 实数:读写一体,引脚控制读或写 ,核心关键词:SMART 200; 寻址-库; 子位; 读; 写; 起始地址; 自定义; 字节; 字; 双字; 实数。,"SMART 200库:位寻址与多读写功能"
1、文件内容:perl-ExtUtils-Manifest-1.61-244.el7.rpm以及相关依赖 2、文件形式:tar.gz压缩包 3、安装指令: #Step1、解压 tar -zxvf /mnt/data/output/perl-ExtUtils-Manifest-1.61-244.el7.tar.gz #Step2、进入解压后的目录,执行安装 sudo rpm -ivh *.rpm 4、安装指导:私信博主,全程指导安装
多水下航行器协同定位的MATLAB仿真:基于《Cooperative Localization for Autonomous Underwater Vehicles》的研究与实践,【7】MATLAB仿真 多水下航行器协同定位,有参考文档。 主要参考文档: 1. Cooperative Localization for Autonomous Underwater Vehicles,The International Journal of Robotics Research 主要供文档方法的学习 非全文复现。 ,MATLAB仿真; 多水下航行器协同定位; 参考文档; 自主水下航行器; 机器人学国际期刊; Cooperative Localization。,MATLAB仿真:多水下航行器协同定位研究参考国际期刊论文
基于大语言模型的多模态社交媒体信息流行度预测研究
1、文件内容:perl-Algorithm-Diff-1.1902-17.el7.rpm以及相关依赖 2、文件形式:tar.gz压缩包 3、安装指令: #Step1、解压 tar -zxvf /mnt/data/output/perl-Algorithm-Diff-1.1902-17.el7.tar.gz #Step2、进入解压后的目录,执行安装 sudo rpm -ivh *.rpm 4、安装指导:私信博主,全程指导安装
《基于分时电价下电动汽车多类型充放电调度策略优化及其经济与负荷曲线改善分析》,11-分时电价下电动汽车充放电调度策略优化-100% 摘要:代码主要做的是分时电价下电动汽车充放电策略的优化,电动汽车选取了四种典型的类型,包括比亚迪EV,尼桑EV,宝马mini以及三菱EV,四种类型电动汽车取若干辆,约束重点关注充放电约束、蓄电量约束、0-1启停约束等等,目标函数为经济效益最优,同时考虑负荷曲线的改善,并通过图展示其结果,具体看下图。 ,核心关键词: 分时电价; 电动汽车; 充放电策略优化; 类型; 约束; 经济效益; 负荷曲线改善; 图展示。,电价优化下电动汽车充放电调度策略研究
IMG_20250130_120659.jpg
该项目是一款基于JavaScript、TypeScript和微信小程序开发的火车票购票系统源码,包含1634个文件,涵盖395个JavaScript文件、293个TypeScript文件、271个JSON配置文件、240个WXML模板文件、232个WXSS样式文件、138个WXS脚本文件,并辅以22个PNG图片、19个Markdown文档和1个JPG图片。该系统旨在提供便捷的火车票购票服务。
驱动DHT11要学会看数据手册
《COMSOL模拟增强型地热开采采热井温度变化一年周期的瞬态分析》,comsol增强型地热开采 本模型采用达西定律接口、多孔介质传热接口、非等温管道流接口,采用瞬态求解器,求解采热井一年的温度变化 ,comsol; 增强型地热开采; 达西定律接口; 多孔介质传热接口; 非等温管道流接口; 瞬态求解器; 采热井温度变化,《COMSOL模型在地热开采中模拟采热井一年温度变化的研究》
0016-08-16122503-曾洋.zip
1.版本:matlab2014/2019a/2024a 2.附赠案例数据可直接运行matlab程序。 3.代码特点:参数化编程、参数可方便更改、代码编程思路清晰、注释明细。 4.适用对象:计算机,电子信息工程、数学等专业的大学生课程设计、期末大作业和毕业设计。
week01_lab_solutions.ipynb
免费JAVA毕业设计 2024成品源码+论文+录屏+启动教程 启动教程:https://www.bilibili.com/video/BV1SzbFe7EGZ 项目讲解视频:https://www.bilibili.com/video/BV1Tb421n72S 二次开发教程:https://www.bilibili.com/video/BV18i421i7Dx
Golang. KisFlow(Keep It Simple Flow).
免费JAVA毕业设计 2024成品源码+论文+录屏+启动教程 启动教程:https://www.bilibili.com/video/BV1SzbFe7EGZ 项目讲解视频:https://www.bilibili.com/video/BV1Tb421n72S 二次开发教程:https://www.bilibili.com/video/BV18i421i7Dx
1.版本:matlab2014/2019a/2024a 2.附赠案例数据可直接运行matlab程序。 3.代码特点:参数化编程、参数可方便更改、代码编程思路清晰、注释明细。 4.适用对象:计算机,电子信息工程、数学等专业的大学生课程设计、期末大作业和毕业设计。
1、文件内容:perl-B-Keywords-1.13-2.el7.rpm以及相关依赖 2、文件形式:tar.gz压缩包 3、安装指令: #Step1、解压 tar -zxvf /mnt/data/output/perl-B-Keywords-1.13-2.el7.tar.gz #Step2、进入解压后的目录,执行安装 sudo rpm -ivh *.rpm 4、安装指导:私信博主,全程指导安装
1、文件内容:perl-Net-DNS-Nameserver-0.72-6.el7.rpm以及相关依赖 2、文件形式:tar.gz压缩包 3、安装指令: #Step1、解压 tar -zxvf /mnt/data/output/perl-Net-DNS-Nameserver-0.72-6.el7.tar.gz #Step2、进入解压后的目录,执行安装 sudo rpm -ivh *.rpm 4、安装指导:私信博主,全程指导安装
基于Comsol模拟的近场金属探针激发表面等离子体激元(SPP)的研究,Comsol近场金属探针激发SPP。 ,Comsol; 近场金属探针; SPP; 激发。,"Comsol模拟激发金属探针的SPP现象"