×

Loading...
Ad by
  • 最优利率和cashback可以申请特批,好信用好收入offer更好。请点链接扫码加微信咨询,Scotiabank -- Nick Zhang 6478812600。
Ad by
  • 最优利率和cashback可以申请特批,好信用好收入offer更好。请点链接扫码加微信咨询,Scotiabank -- Nick Zhang 6478812600。

@Calgary

Sigh ! 为什么明显错误出现在一些技术书中, 这些作者号称网络安全专家,他们真的测试了这些程序, 还只是为了增加页数,多赚些稿费?

nicetomeetyou(一针牛,寒锋闪剑出鞘)
One shit example:

Unfortunately, while the developers at MyLocalWeatherForecast.com
were diligent about restricting access to the administration page
(admin.php), they neglected to restrict access to the server API that
provides the actual data to that page. While an attacker would be blocked
from accessing admin.php, there is nothing to prevent him from calling
the GetUsageStatistics function directly.
(#4589714@0)
Last Updated: 2008-7-31
This post has been archived. It cannot be replied.
Report

Replies, comments and Discussions:

  • 工作学习 / 学科技术讨论 / Sigh ! 为什么明显错误出现在一些技术书中, 这些作者号称网络安全专家,他们真的测试了这些程序, 还只是为了增加页数,多赚些稿费? -nicetomeetyou(一针牛,寒锋闪剑出鞘); 2008-7-31 {414} (#4589714@0)
    One shit example:

    Unfortunately, while the developers at MyLocalWeatherForecast.com
    were diligent about restricting access to the administration page
    (admin.php), they neglected to restrict access to the server API that
    provides the actual data to that page. While an attacker would be blocked
    from accessing admin.php, there is nothing to prevent him from calling
    the GetUsageStatistics function directly.
    • 就算你什么都不用干,只要不犯错,等你去那些公司时间长了,周围的人陆续地走了,就剩下你的事情,首席专家肯定非你莫属 -linger2007(栀子花开); 2008-7-31 (#4589716@0)
    • 再说,人家也是人,不知道出了多少本了,每个都测试是不可能的。。。估计也就第一本书都测试过了,后来就麻木了。。。。 -linger2007(栀子花开); 2008-7-31 (#4589718@0)
      • Read carefully, the example I put in the post is definitely a problem of nowhere ! I assume you know JS and server side session management. -nicetomeetyou(一针牛,寒锋闪剑出鞘); 2008-7-31 (#4589725@0)
        • 我不是针对你贴出来的这段。。我是人是一个朋友是写书的,但是那不是ta真正的工作,只是偶尔会被叫进去一堆人抓紧时间赶着写出来,所以听说了点负面的东西而已。。不是估计来搅你的帖子。。抱歉。。。 -linger2007(栀子花开); 2008-7-31 (#4589748@0)
          • That is OK, you are welcome, just a piece of discussion. Maybe I am wrong in this case, you never know.:-) -nicetomeetyou(一针牛,寒锋闪剑出鞘); 2008-7-31 (#4589763@0)
            • 看我急急忙忙解释得,敲错了好几个字。:-)) -linger2007(栀子花开); 2008-7-31 (#4589771@0)
    • 哪里有问题? -canadiantire(轮胎 - Bona fide Crm); 2008-7-31 (#4589721@0)
      • coask. -holdon(again); 2008-7-31 (#4589749@0)
    • do you mean hacker can't call GetUsageStatistics from different site because of browser restiction? If he can read the js script , he can write a application directly send GetUsageStatistics ajax request to the server, no browser restriction. -holdon(again); 2008-7-31 (#4589761@0)
      • Admin and general user will have different sessions managed by server. After they logged in, the unique session IDs will be assigned. From surface, you see they call the same JS function to call a server agent, but -nicetomeetyou(一针牛,寒锋闪剑出鞘); 2008-7-31 {239} (#4589781@0)
        common user's request will be denied from server for sure, because his/her request doesn't own admin session ID.

        Well, hacking admin session ID will be a totally different story, but author doesn't mention this in this special case.
        • Isn't this te auther's point? the developer only protected the admin.php page by session, but not the server function answering the getstatistic request ( it's not necessary the same admin.php page), therefore caused a security hole. -holdon(again); 2008-7-31 (#4589786@0)
          • That is wrong ! Each response handler on server has its own level of privilege to access backend data. It is activated effectively when user logs in and authentication is passed. Author assume to access admin data fully by getting around admin.php -nicetomeetyou(一针牛,寒锋闪剑出鞘); 2008-7-31 {9} (#4589835@0)
            Mistake !
            • ok. I give up. -holdon(again); 2008-7-31 (#4589921@0)
            • I believe Holdon has point out there involves two different PHP pages, and the two pages are covered by different security settings. The problem is the page that contains the js function has weaker security. -canadiantire(轮胎 - Bona fide Crm); 2008-7-31 (#4590040@0)
              • PHP page is not a "page" shown on client, it first runs on server, then sends dhtml mix to browser. you have to pass authentication in order to be "forward"ed to "admin.php", then your ajax call succeeds because of valid admin cookies(sesson ID). -nicetomeetyou(一针牛,寒锋闪剑出鞘); 2008-7-31 (#4590468@0)
                • 同学,麻烦你再仔细看看。 -canadiantire(轮胎 - Bona fide Crm); 2008-7-31 (#4590541@0)
                  • Done, Sir. ERP/HR/ACCT apps is my everyday life. I got involved several complex niu projs in which all dhtml, css, js, jsp, tab lib, applet, servlet, j2ee, data access, jdbc, MySql stored proc/func, xslt, were hand-coded. -nicetomeetyou(一针牛,寒锋闪剑出鞘); 2008-7-31 {369} (#4590605@0)
                    ajax is just a feature in which parts of the DOM get updated from server without whole page refresh. nothing is really new. I worry more about exposing business logic in js code. The weather report example makes some sense in the book. That could be a security threat. Even entry level won't write SQL code directly in js, A joke is written into a professional book.
                    • 不好意思,纠正你一个错误,是taglib。 -canadiantire(轮胎 - Bona fide Crm); 2008-7-31 (#4590643@0)
                      • Thanks! :-) -nicetomeetyou(一针牛,寒锋闪剑出鞘); 2008-7-31 (#4590660@0)
    • do not know if they mean to 多赚些稿费, but definitely a book with great thickness seems 博大精深. -win(秋天的菠菜); 2008-7-31 (#4590045@0)

More Topics

  • 现在社区游泳池招救生员巡逻,过一会还要不停的点人头,这工作是否很快就被AI代替了,装一个摄像头后面是AI处理系统,这样只招一个等着救人就行了,人头沉下水一定时间立马强光照射,还可以分析水下人的状况来判断是否溺水等
  • 新冠疫苗引发心肌炎? 最新研究这样看
  • 这道几何题有解吗?
  • SAM 2 Demo
  • 如何在 AWS EC2 实例上构建 WordPress 应用程序?
    • 枫下论坛主坛工作学习学科技术讨论