This topic has been archived. It cannot be replied.
-
工作学习 / 学科技术讨论 / Sigh ! 为什么明显错误出现在一些技术书中, 这些作者号称网络安全专家,他们真的测试了这些程序, 还只是为了增加页数,多赚些稿费?
-nicetomeetyou(一针牛,寒锋闪剑出鞘);
2008-7-31
{414}
(#4589714@0)
-
就算你什么都不用干,只要不犯错,等你去那些公司时间长了,周围的人陆续地走了,就剩下你的事情,首席专家肯定非你莫属
-linger2007(栀子花开);
2008-7-31
(#4589716@0)
-
再说,人家也是人,不知道出了多少本了,每个都测试是不可能的。。。估计也就第一本书都测试过了,后来就麻木了。。。。
-linger2007(栀子花开);
2008-7-31
(#4589718@0)
-
Read carefully, the example I put in the post is definitely a problem of nowhere ! I assume you know JS and server side session management.
-nicetomeetyou(一针牛,寒锋闪剑出鞘);
2008-7-31
(#4589725@0)
-
我不是针对你贴出来的这段。。我是人是一个朋友是写书的,但是那不是ta真正的工作,只是偶尔会被叫进去一堆人抓紧时间赶着写出来,所以听说了点负面的东西而已。。不是估计来搅你的帖子。。抱歉。。。
-linger2007(栀子花开);
2008-7-31
(#4589748@0)
-
That is OK, you are welcome, just a piece of discussion. Maybe I am wrong in this case, you never know.:-)
-nicetomeetyou(一针牛,寒锋闪剑出鞘);
2008-7-31
(#4589763@0)
-
看我急急忙忙解释得,敲错了好几个字。:-))
-linger2007(栀子花开);
2008-7-31
(#4589771@0)
-
哪里有问题?
-canadiantire(轮胎 - Bona fide Crm);
2008-7-31
(#4589721@0)
-
coask.
-holdon(again);
2008-7-31
(#4589749@0)
-
do you mean hacker can't call GetUsageStatistics from different site because of browser restiction? If he can read the js script , he can write a application directly send GetUsageStatistics ajax request to the server, no browser restriction.
-holdon(again);
2008-7-31
(#4589761@0)
-
Admin and general user will have different sessions managed by server. After they logged in, the unique session IDs will be assigned. From surface, you see they call the same JS function to call a server agent, butcommon user's request will be denied from server for sure, because his/her request doesn't own admin session ID.
Well, hacking admin session ID will be a totally different story, but author doesn't mention this in this special case.
-nicetomeetyou(一针牛,寒锋闪剑出鞘);
2008-7-31
{239}
(#4589781@0)
-
Isn't this te auther's point? the developer only protected the admin.php page by session, but not the server function answering the getstatistic request ( it's not necessary the same admin.php page), therefore caused a security hole.
-holdon(again);
2008-7-31
(#4589786@0)
-
That is wrong ! Each response handler on server has its own level of privilege to access backend data. It is activated effectively when user logs in and authentication is passed. Author assume to access admin data fully by getting around admin.phpMistake !
-nicetomeetyou(一针牛,寒锋闪剑出鞘);
2008-7-31
{9}
(#4589835@0)
-
ok. I give up.
-holdon(again);
2008-7-31
(#4589921@0)
-
I believe Holdon has point out there involves two different PHP pages, and the two pages are covered by different security settings. The problem is the page that contains the js function has weaker security.
-canadiantire(轮胎 - Bona fide Crm);
2008-7-31
(#4590040@0)
-
PHP page is not a "page" shown on client, it first runs on server, then sends dhtml mix to browser. you have to pass authentication in order to be "forward"ed to "admin.php", then your ajax call succeeds because of valid admin cookies(sesson ID).
-nicetomeetyou(一针牛,寒锋闪剑出鞘);
2008-7-31
(#4590468@0)
-
同学,麻烦你再仔细看看。
-canadiantire(轮胎 - Bona fide Crm);
2008-7-31
(#4590541@0)
-
Done, Sir. ERP/HR/ACCT apps is my everyday life. I got involved several complex niu projs in which all dhtml, css, js, jsp, tab lib, applet, servlet, j2ee, data access, jdbc, MySql stored proc/func, xslt, were hand-coded.ajax is just a feature in which parts of the DOM get updated from server without whole page refresh. nothing is really new. I worry more about exposing business logic in js code. The weather report example makes some sense in the book. That could be a security threat. Even entry level won't write SQL code directly in js, A joke is written into a professional book.
-nicetomeetyou(一针牛,寒锋闪剑出鞘);
2008-7-31
{369}
(#4590605@0)
-
不好意思,纠正你一个错误,是taglib。
-canadiantire(轮胎 - Bona fide Crm);
2008-7-31
(#4590643@0)
-
Thanks! :-)
-nicetomeetyou(一针牛,寒锋闪剑出鞘);
2008-7-31
(#4590660@0)
-
do not know if they mean to 多赚些稿费, but definitely a book with great thickness seems 博大精深.
-win(秋天的菠菜);
2008-7-31
(#4590045@0)