Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:Editing JavaScript is very powerful nowadays (Score 1) 308

You skip past all this code and just set p = 0.01 in Firebug. Refresh the page and now your item's price is $0.01. This works in at least 20-30% of all the small-to-medium enterprise AJAX carts I've informally tested it on. Having never checked out (that would be theft) with this modified value, it's impossible to say if those same retailers were using proper serverside validation in the checkout process. I'd guess not, given their lackluster approach to AJAX security.

I don't understand your point. Obviously you can alter a page if you mess with javascript, but every definitive check will always be server-side.

In the shopping cart example product ids would be saved server-side and prices would be calculated by checking those ids against the db. If the user wants to change the page to show "foobar" instead of the real product name and 0.01 euros instead of the real price is his right but it would not change is order.

How would you avoid such a "vulnerabily" by the way?

Slashdot Top Deals

Faith may be defined briefly as an illogical belief in the occurence of the improbable. - H. L. Mencken

Working...