Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Comment Re:Editing JavaScript is very powerful nowadays (Score 1) 308

You skip past all this code and just set p = 0.01 in Firebug. Refresh the page and now your item's price is $0.01. This works in at least 20-30% of all the small-to-medium enterprise AJAX carts I've informally tested it on. Having never checked out (that would be theft) with this modified value, it's impossible to say if those same retailers were using proper serverside validation in the checkout process. I'd guess not, given their lackluster approach to AJAX security.

I don't understand your point. Obviously you can alter a page if you mess with javascript, but every definitive check will always be server-side.

In the shopping cart example product ids would be saved server-side and prices would be calculated by checking those ids against the db. If the user wants to change the page to show "foobar" instead of the real product name and 0.01 euros instead of the real price is his right but it would not change is order.

How would you avoid such a "vulnerabily" by the way?

Slashdot Top Deals

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (8) I'm on the committee and I *still* don't know what the hell #pragma is for.