none
JS中判别来自开发者工具的语句 RRS feed

  • 问题

  • 手上有个庞大的项目,在IE6时期开发的,对权限的控制主要是通过把按钮设定为Disable来进行的。

    但是现在通过IE的开发者工具,稍微懂一点Web开发技术的人,就可以很容易地改变按钮的状态,从而绕过权限控制。

    因为程序太多,不想一一对应,而且项目中使用的按钮等控件都是自己开发的,改变控件状态要通过自己写的JS函数,如果能只修改这个函数就能解决问题的话就最好了。

    所以想咨询一下,能否在js函数中,判断是否通过开发者工具调用的呢?


    2014年2月19日 3:53

答案

  • Hi,

    I think it hard to be detected. So I suggest that you should better configure user role permission restriction in server side instead of disabling/enabling button only.

    In addition, effective conceptual defense methods against the DOM XSS include, but are not limited to:

    • Avoiding client-side sensitive actions such as rewriting or redirection, using client-side data;
    • Sanitization of the client-side code by inspecting and securely handling references to DOM objects that pose a threat, such as url, location and referrer, especially in cases when the DOM may be modified;
    • Using intrusion prevention systems which are able to inspect inbound URL parameters and prevent the inappropriate pages to be served.

    For more information, you can refer here

    http://www.acunetix.com/blog/web-security-zone/articles/dom-xss-explained/

    http://searchsecurity.techtarget.com/answer/How-to-defend-against-a-DOM-based-XSS-attack

    Hope it can hlep you.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. <br/> Click <a href="http://support.microsoft.com/common/survey.aspx?showpage=1&scid=sw%3Ben%3B3559&theme=tech"> HERE</a> to participate the survey.

    2014年2月20日 2:47