Billy Hoffman and Bryan Sullivan from SPI Dynamics gave one of the more entertaining talks today. The title is an allusion to peoples willingness to apply new technology before they fully understand it. Instead of laughing at silly web 2.0 developers they decided to build their own AJAXified website by consulting the resources that any programmer would: AJAX books, blogs, and forums. What they ended up with was hackervactations.com... a security hole riddled gem built on good intentions.
For their presentation they demonstrated how easily you could hammer on the site using something like Firebug. Any piece of code on the client side can't be trusted. You can throw in a break point anywhere and manipulate any variable. So if something like the ticket price is stored locally, you can modify it before it gets debited. We learned long ago not to do this in HTML forms, but it's the same problem all over again disguised by new technology.
Another common practice is dumping all of the functions into one common.js file. Find something like an admin function and you can call that from anywhere. You could also create a race condition. Say one function adds an item and updates the cart total; the other debits your account and ships the order. If you call the two functions with a slight offset you could interleave their actions: add an item to your cart, debit the 0 total from your account, update it with actual total, and ship the item.
Their last example involved trusting the client to do final data formatting. Using two GET requests they were able to dump the entire database. In a JSON object they could add as many SQL queries as they want without having to worry about matching the number of arguments like you would in standard injection.
There were a couple final thoughts: These problems stem from putting too much trust in the client. That doesn't bode well for offline technologies like Google Gears where everything has to be on the client or Silverlight which makes it difficult to know whether your code is going to the client or the server. Lastly, if you're worried about premature AJAX-ulation, abstinence may be the best solution.
转自: http://www.hackaday.com/2007/08/02/black-hat-2007-premature-ajax-ulation/
中文参考文档: http://tech.techweb.com.cn/redirect.php?tid=197737&goto=lastpost
分享到:
- 2007-08-19 12:56
- 浏览 1169
- 评论(0)
- 论坛回复 / 浏览 (0 / 1656)
- 查看更多
相关推荐
下面,我们将从几个方面分析该问题,并提供相应的解决策略。 ...这通常发生在以下几种情况: 1. 缺少一个闭合的花括号“}”。...如果在代码块的末尾缺少了闭合花括号,就会导致这种错误。检查代码块的开始和结束部分,...
过早优化器 我长期以来过度优化了 。 它已经有网页。 但是,一个优化选择让我有些烦恼:CSS内联的方法。 它在每个页面上内联网站CSS。 现在,CSS大约只有3kb,但是知道在每个页面加载中浪费了大量的字节让我很烦。...
此版本解决dpkg报错dpkg-deb: error: archive 'device-tree-compiler_1.4.5-3_amd64.deb' has premature member 'control.tar.xz' before 'control.tar.gz' bug
- 超前消费:premature consumption - 国有企业:state-owned enterprise - 私人企业:private enterprise - 偷税漏税:tax evasion - 保持市场良好秩序:keep market in good order - 垄断市场:monopolize ...
报错描述: DBT3514W The db2prereqcheck utility failed to find the following 32-bit library file: "/lib/i386-libpam.so" 解决方法: sudo dpkg --force-architecture -i libpam0g_1.1.8-3.6ubuntu2_i386.deb ...
是一款谷歌浏览器,格式为deb格式,安装方式可参见如下链接 http://blog.csdn.net/suwu150/article/details/53994302
在Ubuntu 16.04操作系统中,有时由于网络限制,我们无法直接使用`apt install`命令在线安装MySQL Server 5.7.33。此时,我们需要采用离线安装的方法来解决这个问题。以下是一个详细的步骤指南,涵盖了如何使用提供的...
安装顺序按照以下顺序 containerd.io-1.2.6-3.3.el7.x86_64.rpm docker-ce-cli-19.03.8-3.el7.x86_64.rpm docker-ce-19.03.8-3.el7.x86_64.rpm
在Java编程环境中,"java.security.InvalidKeyException: illegal Key Size" 是一个常见的错误,通常发生在加密或解密操作中。这个错误表示你试图使用的密钥长度超过了Java默认的安全限制。在给定的上下文中,这个...
### Caffe官网翻译知识点概述 #### 1. Brewing Imagenet **数据准备** - **环境**: 所有命令在`cafferoot`目录下执行。 - **数据**: 使用ILSVRC12挑战赛的数据集。 - **组织结构**: 训练数据与测试数据分别存放。...
已经解决了第一次连接报:com.caucho.hessian.client.HessianConnectionException: 500: java.io.EOFException
mysql离线安装所需要的依赖包
A malfunction in these components or boards can occur immediately or the apparatus may perform for weeks, months, or even years before an unpredictable and premature breakdown causes a field failure.
Model interactions as simply as possible to avoid premature optimization Create well-defined interactions, and know exactly what failures can occur Learn why you should never treat actors as you...
### 解压cpio文件 在Linux环境中,`cpio`是一种常见的用于归档文件的工具。它可以用来创建、查看和提取归档文件。本篇内容将详细介绍如何解压`cpio`格式的文件,特别是那些经过gzip压缩的文件。...
笔记本的风扇控制 ---------------------------------------- 09 November 2006. Summary of changes for version 20061109: 1) ACPI CA Core Subsystem: Optimized the Load ASL operator in the case where the...
- One of the major advantages of these systems is their ability to protect hardware investments by preventing premature obsolescence. As technology advances and new process nodes emerge, the ...
- premature:形容词,意为“提前的,过早的”,常用于描述未到合适时机的行动。 - conservative:形容词,意为“保守的”,可指政治观点或行为方式。 - constant:形容词,意为“不断的,始终如一的”,表示持续...
however, PSO is easy to get trapped in local extremum, to have premature convergence or stagnation. In order to help PSO strike a balance between individual diversity and swarm convergence, this ...
Model interactions as simply as possible to avoid premature optimization, Create well-defined interactions, and know exactly what failures can occur, Learn why you should never treat actors as you ...