weixin_33692284 2014-03-13 06:15 采纳率: 0%
浏览 201

从控制台阻止js攻击

I have a website with typing test. User can take a test after login. At the end of the test it sends an ajax and shows the result with accuracy, key per minute, wrong key press etc..

enter image description here

I noticed that somebody created an account on my site and he is always on top score with key per minute 2000 or more than that. I found only one thing to do the trick which is the ajax. Anybody can run the ajax from the console panel with new value like this -

$.ajax({ // this is the main code we have to prevent
 type: 'POST',
 url: '/typingtest',
 //dataType: 'json',
 data:{
  "corrects":2000,
  "incorrects":0,
  "netwpm" : 2000,
  "FixedMistakes" : 0,
  "TotalEntries" : 20000,
  "ErrorRate" : 0,
  "RawSpeed" : 50000,
  "KeySpeed" : 50000,
  "CompleteWords" : 2000,
  "TotalTime" : 1,
  "accuracy" : 200,
  "ajaxSubmit" : "ajaxSubmit"
 },
 success: function(data) {
  window.location.href = data;
 },
 complete: function() {
  // Schedule the next request when the current one's complete
 }
});

And he will get this result -

enter image description here

I have tried with some flag variable to validate on ajax page. But anything done with the js still anybody can see it and easily debug this process to change the values. And then finally he can run the ajax.

Has anyone any idea to prevent this thing to be happen?

  • 写回答

1条回答 默认 最新

  • weixin_33682790 2014-03-13 06:34
    关注

    In the case of words per minute, I would suggest:

    Before starting the test, make sure your server-side code knows how many words are in the test. It's best to make sure this is somewhat random every time.

    Sending a request to the server when the user starts the test in order to get a timestamp of when the test was started.

    During the test, count how many words were successfully completed.

    Then post again when the test is finished with the number of successfully completed words to get the total elapsed time. Verify with the server that the number of completed words is the same as the number of original words originally given, to make sure that nobody tampered with that number.

    This way, the client is not keeping track of any unverifiable information.


    Accuracy is a bit harder to verify, but just make sure to set a max value (an accuracy of 200% is definitely impossible!).


    In addition, you can try security through obfuscation (see How can I obfuscate (protect) JavaScript?), but this is not the most secure method since experience JavaScripters can still know what's going on.

    评论

报告相同问题?

悬赏问题

  • ¥15 delta降尺度计算的一些细节,有偿
  • ¥15 Arduino红外遥控代码有问题
  • ¥15 数值计算离散正交多项式
  • ¥30 数值计算均差系数编程
  • ¥15 redis-full-check比较 两个集群的数据出错
  • ¥15 Matlab编程问题
  • ¥15 训练的多模态特征融合模型准确度很低怎么办
  • ¥15 kylin启动报错log4j类冲突
  • ¥15 超声波模块测距控制点灯,灯的闪烁很不稳定,经过调试发现测的距离偏大
  • ¥15 import arcpy出现importing _arcgisscripting 找不到相关程序