Are there any possible wa开发者_JS百科ys by which a malicious user on a web application can manipulate the input that is sent by the front-end of web application (not talking about the FORM DATA, of course) but the requests that are sent like for e.g., when I allow him to edit his profile or his content, he may manipulate the IDs (userId or the contentId) so that he may maliciously do evil with other users content? These inputs are fixed on a webpage & are not editable but still can the users manipulate them?
Is it possible that users may do harm in this manner? How can I safeguard my application against this? Besides, verifying user's identity and his contents/properties on the application prior to allowing each of his actions.
Yes of course. Anything that comes from the client can be modified and cannot be trusted at all.
You need to do server-side checks if the user is editing his own profile or something he's allowed to edit.
For things like editing the profile you could simply use the userid stored in his session though (assuming it's secure, i.e. stored server-side or in cryptographically signed cookies). Only let data go through the client if it's necessary - if the data is already available on the server, you don't even have to give the user the feeling that he might be able to tamper with it. Even though it could be used as a honey-pot - but that's not really the purpose of most webapps...
Yes, it is possible and it is a real danger.
There are two things you can do:
- Implement an access control / permission system which controls which data records a user can access or modify.
- Store information that is none of their business in a session object on the server.
(By the way, these are not exclusive options, ideally you should do both.)
Both solutions still leave you prone to session hijacking though, which is a different, more global problem.
精彩评论