weixin_33692284 2014-03-13 06:15 采纳率: 0%
浏览 201

从控制台阻止js攻击

I have a website with typing test. User can take a test after login. At the end of the test it sends an ajax and shows the result with accuracy, key per minute, wrong key press etc..

enter image description here

I noticed that somebody created an account on my site and he is always on top score with key per minute 2000 or more than that. I found only one thing to do the trick which is the ajax. Anybody can run the ajax from the console panel with new value like this -

$.ajax({ // this is the main code we have to prevent
 type: 'POST',
 url: '/typingtest',
 //dataType: 'json',
 data:{
  "corrects":2000,
  "incorrects":0,
  "netwpm" : 2000,
  "FixedMistakes" : 0,
  "TotalEntries" : 20000,
  "ErrorRate" : 0,
  "RawSpeed" : 50000,
  "KeySpeed" : 50000,
  "CompleteWords" : 2000,
  "TotalTime" : 1,
  "accuracy" : 200,
  "ajaxSubmit" : "ajaxSubmit"
 },
 success: function(data) {
  window.location.href = data;
 },
 complete: function() {
  // Schedule the next request when the current one's complete
 }
});

And he will get this result -

enter image description here

I have tried with some flag variable to validate on ajax page. But anything done with the js still anybody can see it and easily debug this process to change the values. And then finally he can run the ajax.

Has anyone any idea to prevent this thing to be happen?

  • 写回答

1条回答 默认 最新

  • weixin_33682790 2014-03-13 06:34
    关注

    In the case of words per minute, I would suggest:

    Before starting the test, make sure your server-side code knows how many words are in the test. It's best to make sure this is somewhat random every time.

    Sending a request to the server when the user starts the test in order to get a timestamp of when the test was started.

    During the test, count how many words were successfully completed.

    Then post again when the test is finished with the number of successfully completed words to get the total elapsed time. Verify with the server that the number of completed words is the same as the number of original words originally given, to make sure that nobody tampered with that number.

    This way, the client is not keeping track of any unverifiable information.


    Accuracy is a bit harder to verify, but just make sure to set a max value (an accuracy of 200% is definitely impossible!).


    In addition, you can try security through obfuscation (see How can I obfuscate (protect) JavaScript?), but this is not the most secure method since experience JavaScripters can still know what's going on.

    评论

报告相同问题?

悬赏问题

  • ¥15 宇视监控服务器无法登录
  • ¥15 PADS Logic 原理图
  • ¥15 PADS Logic 图标
  • ¥15 电脑和power bi环境都是英文如何将日期层次结构转换成英文
  • ¥15 DruidDataSource一直closing
  • ¥20 气象站点数据求取中~
  • ¥15 如何获取APP内弹出的网址链接
  • ¥15 wifi 图标不见了 不知道怎么办 上不了网 变成小地球了
  • ¥50 STM32单片机传感器读取错误
  • ¥50 power BI 从Mysql服务器导入数据,但连接进去后显示表无数据