Let us assume that somewhere on my website exists a function named doSomething which sends a XHR-Request to the server with the purpose to increase a value called valueA.
//v:=value to increase valueA
;function doSomething(v){
//Sends XHR-Request to server to increase valueA by v
};With nowadays browsers consoles/developper tools it is pretty easy for every mere amateur to find and analyse those requests. So in the end the user is always able to open the console and execute that request on onesown.
Open console: doSomething(12);
How can I distinguish the calls made by the normal process tree and calls which are triggered by the user out of scope. I thought about wrapping my actual call in a wrapper function returing a key/hash which needs to be provided in the actual call:
//f:=callback()
;function doSomethingWrapper(f){
//Sends XHR-Request and returns a key then calls f() passing the key
};
//k:= required key, v:=value to increase valueA
;function doSomething(k, v){
//Sends XHR-Request to server to increase valueA by v
};Yet then the user can just call that wrapper instead obivously.
The point is, whatever validation I make in javascript-it can always be bypassed by changing my code on the client. Is there a common way to verify those requests?
Practical example: Given a game consisting of a jar filled with water. Whenever a user clicks on his jar, the water drops by 1%. Whoever empties the jar first, wins the game. So what prevents the users (besides knowledge) from just executing the call in the console in a for loop and get over with?
答案 0 :(得分:0)
You need to authorize and validate all requests server side. There's also nothing stopping a user from opening DevTools, copying the request in the network tab, and re-running an altered version of the ajax request with curl.
答案 1 :(得分:0)
The answer is no you can't verify AJAX Requests
Now how can you secure things more