使用框架时是否可以篡改发布数据

发布于 2024-08-17 00:10:31 字数 106 浏览 11 评论 0原文

我有一个使用框架的网站。有人仍然可以从浏览器中使用地址栏为其中一个框架制作发布数据吗?其中 2 个框架是静态的,另一个框架具有使用 post 进行通信的 php 页面。这似乎不可能,但我想确定一下。

I have a site that is using frames. Is it still possible from the browser for someone to craft post data for one of the frames using the address bar? 2 of the frames are static and the other frame has php pages that communicate using post. And it doesn't appear to be possible but I wanted to be sure.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

羁拥 2024-08-24 00:10:31

不可以,无法从地址栏POST数据。您只能通过向 URL 添加参数来发起 GET 请求。无法以这种方式附加 POST 正文。

不管怎样,很可能向您的网络服务器发送针对框架中页面的 POST 请求。 HTTP 只是浏览器和网络服务器相互通信的协议。 HTTP 对框架或 HTML 一无所知。框架中的页面有一个 URI,就像任何其他页面一样。当您单击链接时,浏览器会询问服务器是否有该 URI 的内容。服务器将检查它是否有该 URI 的内容并做出相应的响应。但它不知道会返回什么。

使用 TamperData for FirefoxFiddler for IE 任何人都可以轻松修改发送到您服务器的 HTTP 请求。

No, it is not possible to POST data from the address bar. You can only initiate GET requests from there by adding params to the URL. The POST Body cannot be attached this way.

Regardless of this, it is very much possible to send POST requests to your webserver for the pages in a frame. HTTP is just the protocol with which your browser and webserver talk to each other. HTTP knows nothing about frames or HTML. The page in the frame has a URI, just like any other page. When you click a link, your browser asks the server if it has something for that URI. The server will check if it has something for that URI and respond accordingly. It does not know what it will return though.

With tools like TamperData for Firefox or Fiddler for IE anyone can tinker with HTTP Requests send to your server easily.

笨死的猪 2024-08-24 00:10:31

无论来源和/或环境如何,$_REQUEST 数组中的任何数据都应被视为同等武装和危险。这包括 $_GET$_POST$_COOKIE

Any data in the $_REQUEST array should be considered equally armed and dangerous regardless of the source and/or environment. This includes $_GET, $_POST, and $_COOKIE.

可是我不能没有你 2024-08-24 00:10:31

地址栏中无法添加POST数据。

您应该经常检查&清理 PHP 代码中获得的所有数据,因为任何人都可以将数据发布到您的所有页面。

不要信任页面外部的数据。清洁它&检查一下。

POST data can not be added in the address bar.

You should always check & sanitize all data you get in your PHP code, because anyone could post data to all of your pages.

Don't trust data from outside of your page. Clean it & check it.

扬花落满肩 2024-08-24 00:10:31

也许不是来自浏览器,但他们仍然可以使用 burp 代理等工具捕获请求(对其进行修改)并将其转发到提供的目的地。

Maybe not from the browser, but they can still catch the request (tinker with it) and forward it to the provided destination, with a tool like burp proxy.

昇り龍 2024-08-24 00:10:31

回答您的问题:不,无法使用地址栏发送帖子数据。

但是可以立即将发布数据发送到任何网址。例如使用 cURL 或 Firefox 扩展。因此,无论是 POST、GET、UPDATE 还是其他方式,请务必验证和清理您收到的所有数据。

这不是 iFrame 或 php 特定的,因此在每个 Web 应用程序中都应该考虑它。永远不要相信任何人发送的数据是正确的、有效的或安全的——尤其是当用户发送的数据时。

To answer your question: No, it is not possible to send post data using the addressbar.

BUT it is possible to send post data to any url in a snap. For example using cURL, or a Firefox extension. So be sure to verify and sanitize all the data you receive no matter if POST or GET or UPDATE or whatever.

This is not iFrame or php specific, so it should be considered in every webapplication. Never ever rely on data send by anyone being correct, valid or secure - especially when send by users.

寂寞花火° 2024-08-24 00:10:31

是的,他们绝对可以,使用 Firebug 等工具,以及 Gordon 列出的显然更专业的工具。此外,即使他们无法在您网站的浏览器中执行此操作,他们也始终可以创建自己的表单,或通过脚本或命令行工具提交发布数据。

您绝对不能依赖客户端来保证安全。

Yes, they absolutely can, with tools like Firebug, and apparently more specialized tools like the ones listed by Gordon. Additionally, even if they couldn't do it in the browser from your site, they could always create their own form, or submit the post data through scripting or commandline tools.

You absolutely cannot rely on the client for security.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文