Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Comment Re:Editing JavaScript is very powerful nowadays (Score 1) 308

You skip past all this code and just set p = 0.01 in Firebug. Refresh the page and now your item's price is $0.01. This works in at least 20-30% of all the small-to-medium enterprise AJAX carts I've informally tested it on. Having never checked out (that would be theft) with this modified value, it's impossible to say if those same retailers were using proper serverside validation in the checkout process. I'd guess not, given their lackluster approach to AJAX security.

I don't understand your point. Obviously you can alter a page if you mess with javascript, but every definitive check will always be server-side.

In the shopping cart example product ids would be saved server-side and prices would be calculated by checking those ids against the db. If the user wants to change the page to show "foobar" instead of the real product name and 0.01 euros instead of the real price is his right but it would not change is order.

How would you avoid such a "vulnerabily" by the way?

Slashdot Top Deals

After a number of decimal places, nobody gives a damn.