Question

在很晚的时候,我一直深入到网络应用安全中。在浏览时,我从协会那里找到了网络Scarab工具,可以向您的网络应用注入可能的攻击,使你的申请变得脆弱。

我正在利用这一工具,拦截我根据联合论坛提出的网上申请提出的任何要求。 1.2 框架。在使用我时,我注意到,无论在形式领域,都显示任何价值,因为它是这一工具中的HttpRequest。您可以修改这些价值观,并将自动产生新的要求书主,并显著地将修改的数值插入行文。

Isn t it a potential attack? I mean anyone can intercept any HttpRequest and modify the parameter with the help of a tool and inject some malicious content,

我的问题是:

Is it possible for everyone to intercept HttpRequest generating from any webpage, say stackoverflow.com?
If yes, how can you avoid these modification by an unknown user who can modify the parameter and remake the encoded URL?
If no, please explain why? I am absolutely numb?

Answer 1

WebScarab 。

WebScarab作为拦截代理运营,使运营商能够在将浏览器送至服务器之前审查并修改浏览器提出的申请,并在浏览器收到回复之前审查和修改从服务器中退回的答复。

But this requires the client (e.g. your web browser) to actually use the proxy:

In order to start using WebScarab as a proxy, you need to configure your browser to use WebScarab as a proxy. This is configured in IE using the Tools menu. Select Tools -> Internet Options -> Connections -> LAN Settings to get the proxy configuration dialog.

So only the communication of clients that use the WebScarab proxy can be intercepted.

Answer 2

Using WebScarab or other UI Interceptor tool, person can Change the Transaction data in between of processing of request from Client to Server.

Basically this can be avoided by applying Same Validations at both Client and Server side of the application. eg, if Application has Change pwd functionality, and someone tries Interceptor and modifies the pwd with new intercepted Pwd., while saving it should be validated on server side , whether user entered correct password or not.

友情链接