Tuesday 15 April 2014

dom manipulation - "Hacking" by editing the DOM? -


No response can be received by Googling, so I have come here.

I had an idea a week ago, about some potential weaknesses, and ask if it is possible and if there are any suggestions on how to fix them.

This idea was simple: if some part of my site (or many parts of it) writes the data to the DOM and then calls it back to the data, then what is possible is that someone "dome" Can "Hack" the server in the browser by editing?

Example: Suppose I have several radio buttons, each button has its own logic attached to it, if I delete a button, but fails to remove or comment on logic, then a person One of the buttons can be removed in the DOM name and deleted, and the server has executed the logic associated with the radio extracted on the submission button?

I understand how to fix that situation, by removing or commenting on the deleted button logic, but I am afraid that there are some small possibilities on such things, through Dome and I Can be tampered with. Just wondering ...

  1. If such a thing is possible,
  2. Is there some complicated verification method the only way to stop "hacks" of this nature?

    Your answer to the question is yes, for example in many browsers you can open JavaScript Console And not only can change dome, but also javascript can change on the site.

    There is no guarantee that the code you wrote for a webpage will be run as code. Any user can change their copy. What they should not be able to do is change the copy of other people when they do this, called cross-site scripting (XSS) attack (usually adding a script to a field that is saved in a database server And then to another user is done in service.)

    To protect your site, you need to make sure that all web service call security They are - a user can not call them with malicious data and can cause problems.

    You must also block against the attacks of SQL injection.

    There is no way to prevent the user from changing the web page on your machine and it's going to do something you do not intend, so all the assumptions in the browser and the server are required. .

    As an example, consider how easy it is to have local browser behavior, browser extensions. A browser extension is a pre-coded way to change the way web pages work locally. (Think of Ad-Blockers as a specific example.)

    Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)