×

Loading...
Ad by
  • 推荐 OXIO 加拿大高速网络,最低月费仅$40. 使用推荐码 RCR37MB 可获得一个月的免费服务
Ad by
  • 推荐 OXIO 加拿大高速网络,最低月费仅$40. 使用推荐码 RCR37MB 可获得一个月的免费服务

Sigh ! 为什么明显错误出现在一些技术书中, 这些作者号称网络安全专家,他们真的测试了这些程序, 还只是为了增加页数,多赚些稿费?

One shit example:

Unfortunately, while the developers at MyLocalWeatherForecast.com
were diligent about restricting access to the administration page
(admin.php), they neglected to restrict access to the server API that
provides the actual data to that page. While an attacker would be blocked
from accessing admin.php, there is nothing to prevent him from calling
the GetUsageStatistics function directly.
Report

Replies, comments and Discussions:

  • 工作学习 / 学科技术讨论 / Sigh ! 为什么明显错误出现在一些技术书中, 这些作者号称网络安全专家,他们真的测试了这些程序, 还只是为了增加页数,多赚些稿费?
    One shit example:

    Unfortunately, while the developers at MyLocalWeatherForecast.com
    were diligent about restricting access to the administration page
    (admin.php), they neglected to restrict access to the server API that
    provides the actual data to that page. While an attacker would be blocked
    from accessing admin.php, there is nothing to prevent him from calling
    the GetUsageStatistics function directly.
    • 就算你什么都不用干,只要不犯错,等你去那些公司时间长了,周围的人陆续地走了,就剩下你的事情,首席专家肯定非你莫属
    • 再说,人家也是人,不知道出了多少本了,每个都测试是不可能的。。。估计也就第一本书都测试过了,后来就麻木了。。。。
      • Read carefully, the example I put in the post is definitely a problem of nowhere ! I assume you know JS and server side session management.
        • 我不是针对你贴出来的这段。。我是人是一个朋友是写书的,但是那不是ta真正的工作,只是偶尔会被叫进去一堆人抓紧时间赶着写出来,所以听说了点负面的东西而已。。不是估计来搅你的帖子。。抱歉。。。
          • That is OK, you are welcome, just a piece of discussion. Maybe I am wrong in this case, you never know.:-)
            • 看我急急忙忙解释得,敲错了好几个字。:-))
    • 哪里有问题?
      • coask.
    • do you mean hacker can't call GetUsageStatistics from different site because of browser restiction? If he can read the js script , he can write a application directly send GetUsageStatistics ajax request to the server, no browser restriction.
      • Admin and general user will have different sessions managed by server. After they logged in, the unique session IDs will be assigned. From surface, you see they call the same JS function to call a server agent, but
        common user's request will be denied from server for sure, because his/her request doesn't own admin session ID.

        Well, hacking admin session ID will be a totally different story, but author doesn't mention this in this special case.
        • Isn't this te auther's point? the developer only protected the admin.php page by session, but not the server function answering the getstatistic request ( it's not necessary the same admin.php page), therefore caused a security hole.
          • That is wrong ! Each response handler on server has its own level of privilege to access backend data. It is activated effectively when user logs in and authentication is passed. Author assume to access admin data fully by getting around admin.php
            Mistake !
            • ok. I give up.
            • I believe Holdon has point out there involves two different PHP pages, and the two pages are covered by different security settings. The problem is the page that contains the js function has weaker security.
              • PHP page is not a "page" shown on client, it first runs on server, then sends dhtml mix to browser. you have to pass authentication in order to be "forward"ed to "admin.php", then your ajax call succeeds because of valid admin cookies(sesson ID).
                • 同学,麻烦你再仔细看看。
                  • Done, Sir. ERP/HR/ACCT apps is my everyday life. I got involved several complex niu projs in which all dhtml, css, js, jsp, tab lib, applet, servlet, j2ee, data access, jdbc, MySql stored proc/func, xslt, were hand-coded.
                    ajax is just a feature in which parts of the DOM get updated from server without whole page refresh. nothing is really new. I worry more about exposing business logic in js code. The weather report example makes some sense in the book. That could be a security threat. Even entry level won't write SQL code directly in js, A joke is written into a professional book.
                    • 不好意思,纠正你一个错误,是taglib。
                      • Thanks! :-)
    • do not know if they mean to 多赚些稿费, but definitely a book with great thickness seems 博大精深.