NEVER, NEVER trust the client
来源:互联网 发布:asp.net 抓取网页数据 编辑:程序博客网 时间:2024/05/22 05:22
NEVER, NEVER trust the client 2008-7-1 20:30:36 By Alex When writing web applications, you should never trust the client, especially when checking field length, email validity. Say, for example, you have a user registration page that is using Javascript to check user name nullity, email format, and whether the password has been confirmed. so you'll have something like this in your js code:if(username.length==0)//Pop up a warning and goes backif(!IsValidEmailAddress(email))//Pop up a warning and goes backand you try to limit the length of the user name to 16 using the text field's property: MAXLENGTH=16.These constraints seem to be working all fine with a well behaved user. But several simple steps using just text editor tools could help us to bypass all of them. Let's go crack this.
- Suppose the domain that we are cracking is www.somedude.com
- the sign up page is at http://www.somedude.com/signup.asp
- we browse to it. and save the page using our browser.
- and reopen the page saved using notebook, delete all the javascript, and the MAXLENGTH=16 property of the text box.
- make sure that the form's action points to the right url. If not, change it. For our example, let's suppose that the form is processed by the same page.
- reopen the saved local file in the browser, input a username of any length, email of any form and click submit.
- IF there's no validation on the server side to recheck the data that the client is posting, you'll get there.
- NEVER, NEVER trust the client
- never
- The days never get back
- It never ends, never!
- Never Say Never
- Never Say Never
- SIP: The Never-Ending Hype Wagon
- The local variable XXXX is never read
- The Secret Formula To Never Being Unemployed
- Never underestimate the heart of a champion
- Never underestimate the heart of a champion
- Never Know
- Never Abandon
- Never store the password unhased directly on the server!
- c++讨论会 永远不要相信那些自称懂C++的程序员 (Never trust a programmer who says h
- Darkness in the life should never be forgotten!
- Facebook Zuckerberg: the game will never be developed_from Chinahourly.com
- UVa Problem 10017 - The Never Ending Towers of Hanoi
- 十种必备工具
- 经典的hack
- SQL Learning Tip2
- xml相关的收藏
- 组图:《赤壁》记者会 梁朝伟林志玲均否认结婚
- NEVER, NEVER trust the client
- C语言实现QQ密码大盗
- GridView事件大全
- Linux下安装JDK说明
- 对于 .NET 应用程序中执行 XSLT 转换 INFO: 路线图
- Explore.exe错误解决方法
- vmware的快捷键
- 如何清除VS2005中最近工作的项目
- 在Javascript中为String对象添加trim,ltrim,rtrim