Watch Your Door - Client-side Data Transmission (10) - Unsafe HTML Disabled Elements_html/css_WEB-ITnose

First of all, it needs to be stated that this article is purely the ignorant opinion of a small developer without any vision or real knowledge, and is only for reference in web system security.

1. Brief explanation

Continuing to tell the story, one day the product manager planned a plan to conduct a promotion. A user can only use the egg coupon once at most.
Developers need to make modifications and adjustments to the system.
Let us imagine the scenario of Internet e-commerce in traditional industries:
Product manager: hurry up to change, hurry up, hurry up and start activities
Operation and maintenance manager: version upgrade, submit online evaluation report, risk test Reports, system test reports, documents signed by the responsible leaders...;
Developer A: Damn, I work from 9 o'clock in the morning to 9 o'clock in the evening, and I have to write so many reports, let me think about how good it is Method...
Developer B: Set restrictions on the html form and disable it after purchasing it once;
Developer A: This is a good method, as long as the html is modified, it does not count as a version upgrade;
Development Manager: Brother Everyone, hurry up and develop;
… (use html to disable elements)
Tester: The test is done. One person can only use the egg coupon once. After using it, it will be gray. I can’t use it anymore. It has reached Target.
Development Manager: Submit for online
…

2. Use HTML to disable elements

After using the page once, the button to confirm purchase is grayed out.

<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>看好你的门-阿饭同学 </title></head><body>    <form action="aShopPrice.action" method="post" name="form1" " >    商品：鸡蛋 优惠券，只能使用一次<br>    您已经使用一次<br>    <input type="submit" value="确认购买" disabled="true"/>     </form></body></html>

No matter how I click, this button is gray.

3. Being attacked

Oh, I accidentally got attacked again...
1. The simplest method, such as using a proxy server to intercept and then modify it, directly let disabled= false or remove this attribute;
2. For example, let’s keep this page and use the element inspection function to find: disabled=true. Modify the element attributes and remove this code. In this way, the verification will be invalid. Use the egg coupons a few more times. Have some fun. .

4. Thinking about element disabling in HTML

1. Element disabling does not seem to be used much now, but as long as the server adopts the same or even stricter confirmation mechanism as the client, this application It is more difficult to be attacked;
2. Because user input may cause various problems, this method can filter out unintentional errors by users and reduce network traffic and server burden. Therefore, this method The method should still be used.