Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Comment Re:Editing JavaScript is very powerful nowadays (Score 1) 308

You skip past all this code and just set p = 0.01 in Firebug. Refresh the page and now your item's price is $0.01. This works in at least 20-30% of all the small-to-medium enterprise AJAX carts I've informally tested it on. Having never checked out (that would be theft) with this modified value, it's impossible to say if those same retailers were using proper serverside validation in the checkout process. I'd guess not, given their lackluster approach to AJAX security.

I don't understand your point. Obviously you can alter a page if you mess with javascript, but every definitive check will always be server-side.

In the shopping cart example product ids would be saved server-side and prices would be calculated by checking those ids against the db. If the user wants to change the page to show "foobar" instead of the real product name and 0.01 euros instead of the real price is his right but it would not change is order.

How would you avoid such a "vulnerabily" by the way?

Slashdot Top Deals

Machines that have broken down will work perfectly when the repairman arrives.