https://stackoverflow.com/questions/14106271
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianBadaboooooom nailed it: http://en.wikipedia.org/wiki/Man-in-the-middle_attack You can use https to mitigate the risk, though tools such as http://www.thoughtcrime.org/software/sslstrip/ still make an attack possible if the user doesn't notice the "lock" is gone.
Is it possible to modify server reply on transit
-
13-12-2021 - |
문제
I am building a javascript library that will allow authentication to server using SRP-6 protocol.
I know using javascript as an authentication method is not the best option due to XSS. But proper XSS prevention can eliminate most issues.
My only concern is how easy it is to modify a server reply before the user even receives the request?
Sample Scenario:
User request page: http://serverdomain/home
Server: Replies back with:
<html>
<head>Home</head>
<script type="text/javascript" src="auth.js"></script>
<body>Home</body>
</html>
Before user receives the reply. Can a hacker somehow magically modify the reply to
<html>
<head>Home</head>
<script type="text/javascript" src="hacker_auth.js"></script>
<body>Home</body>
</html>
Is this possible to do? This is one of the vulnerability that I can think of when using javascript to authenticate.
해결책
다른 팁
You can avoid this using a secure protocol like HTTPS, though everything can be hacked some way, some are just more easily broken than others.
제휴하지 않습니다 StackOverflow
