Hackers Love Mass Assignment
对于多个变量同时赋值,黑客比较喜欢利用这个特性进行攻击:
比如直接从一个表单中提取参数赋值个一个对象的各个属性,这样做的话,黑客可以通过curl命令来模拟提交表单的各个参数,而在其中加入为一些关键的属性赋值,例如admin=true, 这样黑客就可以获得管理员权限,从而破坏网站。
解决的方法是:
把那些关键属性添加一条命令:
attr_protected :admin
但是这种做法只能保护某一些属性,更好的做法也许是
attr_accessible :name
这种做法可以保证通过表单的mass assignment 只能为某一个属性赋值。
分享到:
相关推荐
文档《RedTeam Security-Cybersecurity Tips for Hoteliers-6.pdf》中提供了酒店业者在网络安全方面需要关注的顶级优先事项和可执行步骤,以确保组织的安全。 首先,文档指出缺乏对网络安全风险和影响的理解是解决...
"「AI安全」Cybersecurity Tips Tools and Techniques Updated for 2020"这个主题聚焦于如何保护AI系统免受网络安全威胁,以下是相关知识点的详细说明: 1. 数据安全:在AI系统中,数据是核心,因此确保数据的安全...
本文件"信息安全_数据安全_Cybersecurity Tips Tools and Tec.pdf"提供了一系列针对网络安全的建议、工具和技术,适用于审计风控、应急响应和安全实践,同时也关注了漏洞挖掘等关键环节。以下是基于文件内容提炼出的...
Linux Security Tips(Linux 安全技巧).pdf linux 系统安全与优化中文版 by smallfish.pdf Linux 系统安全与优化中文版221.pdf Linux 进程管理.pdf Linux安全和优化.pdf linux服务器优化调优笔记.pdf Linux的...
Discover high-value Azure security insights, tips, and operational optimizations This book presents comprehensive Azure Security Center techniques for safeguarding cloud and hybrid environments. ...
This effort intends to pull together tools tips and tricks of the trade to working on cyber security in the ICS environment.The code repository will house any specific scripts tools configurations or ...
protective security roles, piracy, and firearms) Safer business travel (including government assistance, safety tips, responding to crime, kidnapping, protective approaches to travel security and ...
seven-tips-for-mentoring-security-newbies.pdf
09-seven-tips-for-mentoring-security-newbies
- **Secure Browsing and Email:** Safe web browsing and email practices are covered, including tips on recognizing phishing attempts and securing accounts with multi-factor authentication. - **Secure...
# Create key pair named 'security-tips'.cd 2-ssm-sessionyarn && yarn buildcdk deploy --require-approval never编辑~/.ssh/config并# SSH over Session ManagerHost i-* mi-* ProxyCommand sh -c "aws ssm ...
A comprehensive guide to mastering the art of preventing your Linux system from getting ... Auditing and HardeningVulnerability Scanning and Intrusion DetectionSecurity Tips & Tricks for the Busy Bee
If you’re intrigued by the synthetic data solution, explore the log-synth program that Ted Dunning developed as open source code (available on GitHub), along with how-to instructions and tips for ...
- **第三方模块**:介绍Nginx的第三方模块,如mod_security(安全防护)、mod_pagespeed(性能优化)等,以及如何编译安装这些模块。 以上只是《Nginx应用技术指南Nginx Tips【第二版】》可能涵盖的部分内容,实际...
You'll find practical instruction, tips, workarounds, and much more. * Work through a slew of Vista surprises, such as logging on as Administrator and how to re-enable Run * Discover how ...