How do end users (hackers) change Jquery and HTML values?_问答_开发者

I've been looking for better ways to secure my site. Many forums and Q/A sites say jquery variables and HTML attributes may be changed by the end user. How do they do this? If they can alter data and elements on a site, can they insert scripts as well?

For instance开发者_高级运维 I have 2 jquery scripts for a home page. The fist is a "member only" script and the second is a "visitor only" script. Can the end user log into my site, copy the "member only" script, log off, and inject the script so it'll run as a visitor?

Yes, it is safe to assume that nothing on the client side is safe. Using tools like Firebug for Firefox or Developer Tools for Chrome, end users are able to manipulate (add, alter, delete):

Your HTML
Your CSS
Your JS
Your HTTP headers (data packets sent to your server)
Cookies

To answer your question directly: if you are solely relying on JavaScript (and most likely cookies) to track user session state and deliver different content to members and guests, then I can say with absolute certainty that other people will circumvent your security, and it would be trivial to do so.

Designing secure applications is not easy, a constant battle, and takes years to fully master. Hacking applications is very easy, fun for the whole family, and can be learned on YouTube in 20 minutes.

Having said all that, hopefully the content you are containing in the JS is not "mission-critical" or "sensitive-data". If it is, I would seriously weigh the costs of hiring a third party developer who is well versed in security to come in and help you out. Because, like I said earlier, creating a truly secure site is not something easily done.

Short Answer: Yes.

Anything on the users computer can be viewed and changed by the user, and any user can write their own scripts to execute on the page.

For example, you will up vote this post automatically if you paste this in your address bar and hit enter from this page:

javascript: $('#answer-7061924 a.vote-up-off').click();

It's not really hacking because you are the end user running the script yourself, only doing actions the end user can normally do. If you allow the end user on your site to perform actions that affect your server in a way they shouldn't be able to, then you have a problem. For example, if I had a way to make that Javascript execute automatically instead of you having to run it yourself from your address bar. Everyone who came to this page would automatically upvote this answer which would be (obviously) undesired behavior.

Firebug and Greasemonkey can be used to replace any javascript: the nature of the Browser as a client is such that the user can basically have it do anything they want. Your specific scenario is definitely possible.

well, if your scripts are public and not protected by a server side than the Hacker can run it in a browser like mozilla.
you should always keep your protected content in a server side scripting and allow access by the session (or some other server side method)

Yes a user can edit scripts however all scripts are compiled on the user's machine meaning that anything they alter will only affect their machine and not any of your other visitors.

However, if you have paid content which you feed using a "members-only" script then it's safest if you use technology on the server to distribute your members-only content rather than rely on the client scripts to secure your content.

Most security problems occur when the client is allowed to interact with the server and modify data on the server.

Here's a good bit on information you can read about XSS: http://en.wikipedia.org/wiki/Cross-site_scripting

To put it very simply:

The web page is just an interface for clients to use your server. It can be altered in all possible ways and anyone can send any kind of data to your server.

For first, you have to check that the user sending that data to your server has privileges to do so. Usually done by checking against server session.

Then you have to check at your server end that you are only taking the data you want, and nothing more or less and that the data is valid by validating it on your server.

For example if there is a mandatory field in some form that user has to fill out, you have to check that the data is actually sent to server because user may just delete the field from the form and send it without.

Other example is that if you are trying to dynamically add data from the form to database, user may just add new field, like "admin", and set it to 1 and send the form. If you then have admin field in database, the user is set as an admin.

The one of the most important things is to remember avoid SQL injection.

There are many tools to use. They are made for web developers to test if their site is safe. Hackbar is one for example.