开发者

Keeping code from being exploited, Securing Javascript and Forms

开发者 https://www.devze.com 2023-01-19 04:38 出处:网络
I am creating a page that allows users access to a certain section of my website if they click 8 out of 25 checkboxes in the right sequence.

I am creating a page that allows users access to a certain section of my website if they click 8 out of 25 checkboxes in the right sequence.

First of all thanks to Reigel for the orignal code, he took what I had and rewrote it, its way better than what I initialy started with. Also thanks to Peter Ajtai for helping me optimize the code.

My question is, how can I clean the output, keeping anyone from exploiting anything, or adding anything that will mess up the server. Is it needed?

Here is a live Version: Click Here to see a live working version

My code is as follows:

<body onLoad="clearForms()" onUnload="clearForms()">

 <p>&nbsp;</p>
 <p>&nbsp;</p>
 <p>&nbsp;</p>
 <p>&nbsp;</p>

<form id="form1" name="form1" method="post" action="check_combination.php">
<table width="200" border="1" align="center">

<tr>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="1" /></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="2"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="3"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="4"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="5"/></td>
</tr>

<tr>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="6"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="7"/></td>
 <td width="20" align="center" val开发者_开发百科ign="middle"><input name="checkbox" type="checkbox" value="8"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="9"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="10"/></td>
</tr>

<tr>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="11"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="12"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="13"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="14"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="15"/></td>
</tr>

<tr>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="16"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="17"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="18"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="19"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="20"/></td>
</tr>

<tr>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="21"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="22"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="23"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="24"/></td>
 <td width="20" align="center" valign="middle"><input name="checkbox" type="checkbox" value="25"/></td>
</tr>

<tr>
 <td height="23" colspan="5" align="center" valign="middle" class="label"></td>
</tr>

<tr>
 <td height="28" colspan="5" align="center" valign="middle"><input type="button" value="Test length" id="test" /></td>
</tr>

<tr>
 <td height="28" colspan="5" align="center" valign="middle"><input type="submit" name="button" id="button" value="Submit" /></td>
</tr>

<tr>
 <td height="28" colspan="5" align="center" valign="middle"><input type="button" name="button" id="button2" value="Test hidden input value" /></td>
</tr>

</table>

<input name="result" type="hidden" id="result" />

</form>

</body>

And the javascript:

function clearForms() {
    var i;
    for (i = 0; (i < document.forms.length); i++) {
       document.forms[i].reset();
 $(':checkbox[name=checkbox]:disabled').attr('disabled', false);

    }
}


//initial checkCount of zero
var checkCount = 0;

//maximum number of allowed checked boxes
var maxChecks = 8;

$(document).ready(function() {

clearForms();

$("#form1").submit(function(e) {
  if($("input:checkbox:checked").length < 8) {
    alert("You must select at least 8 options before submitting!");
    e.preventDefault();
  }
});

var $nameCheckbox = $('input:checkbox[name=checkbox]');

    $nameCheckbox.click(function() {

        //update checkCount
        checkCount = $('input:checked').length;

        if (checkCount >= maxChecks) {
            //alert('you may only choose up to ' + maxChecks + ' options');
            $nameCheckbox.not(':checked').attr('disabled', true);
        } else {
            $nameCheckbox.filter(':disabled').attr('disabled', false);
        }

        if (this.checked) {
            $("td.label").append('<label>' + this.value + ' </label>');
        } else {
            $("td.label").find(':contains(' + this.value + ')').remove();
        }

        $('input[name="result"]').val($("td.label").text());

    });


    $("#test").click(function() {
        alert($('input:checked').length)
    });

    $('#button2').click(function() {
        alert($('input[name="result"]').val());
    });

});


First of all, thanks for the mention there and your most welcome.

My question is, how can I clean the output, keeping anyone from exploiting anything, or adding anything that will mess up the server. Is it needed?

My suggestion is always do a checking on server-side. Yeah you can do checking on client-side, but when it's in the client-side, the client/user has the power to change things. So, if you can (I suggest you must), do both checking - server and client side.


This can't be done. Javascript can always be compromised and no user input can be trusted.

You could try and obfuscate the code, but it will never be 100% (not even close).


Don't!

That's a poor security scheme -- if for no other reason it's ripe for brute-force. Seriously consider using an established authentication mechanism--there are tons of options in any language you prefer.


You could generate a hash on the server (such as an MD5 or better SHA-1 or something) based on the form structure, which you then send back to the server on the form submission, and recalculate on the server to see if the user tampered with anything in the form. This is outlined in the old CGI Programming in Perl Book, which incidentally is one of the best books on web programming security I ever read.

I don't recommend it, but for interest it's possible to be pretty sure that a user didn't tamper with your form.

0

精彩评论

暂无评论...
验证码 换一张
取 消