目前我开发了一个用于处理金融交易的网站。我看到我的一些客户已经完成了JavaScript注入攻击并完成了一些不可能的事务。作为一个例子,我在下订单之前检查了他的现金余额。但其中一些确实通过在地址栏中运行以下javascript来改变它。他们通过查看页面源来获取可变名称。
Currently I have developed a site which is used for handle financial transactions. I have seen that some of my customers have done JavaScript injection attacks and have done some transactions which are not possible. As a example I have checked his cash balance before he place the order. But some of them did change that by running the following javascript in the address bar. They have taken the varible name by looking in to page source.
javascript:void(document.accounts.cashBalence.value="10000000")由于这很关键,我想快速修复它。那么有没有办法防止JavaScript注入攻击?
Since this is critical I want to fixed it quickly. So is there a way to prevent JavaScript injection attacks?
推荐答案您可以对变量名称和/或值进行模糊处理或散列。但是, 不要使用JavaScript,而是在服务器端执行每个逻辑。
You can obfuscate or hash variable names and/or values. However, Don't use JavaScript, do every logic in the server-side instead.
更多推荐
如何防止JavaScript注入攻击
发布评论