查找安全页面上的所有不安全内容

发布于 2024-10-12 12:26:09 字数 329 浏览 6 评论 0原文

查找 HTTPS 页面请求的所有非 HTTPS URL 列表的最有效方法是什么?如果发生这种安全违规,每个浏览器都会向用户发出警报,但我找不到一种简单的方法来查找导致违规的确切 URL。

到目前为止我发现的最简单的方法是使用 Firefox,但即便如此,它仍然不是很方便。首先,我可以右键单击,选择“查看页面信息”,单击“媒体”选项卡,然后滚动浏览 URL 列表。然而,这似乎只列出了图像文件,而不是也可能导致错误的 CSS 或 JS 包含。对于这些,我必须使用 Firebug 扩展,选择“网络”选项卡,然后手动将鼠标悬停在每个项目上才能查看整个 URL。不幸的是,如果您有数十个媒体文件,这可能需要一段时间。有更好的办法吗?

What's the most efficient way to find a list of all non-HTTPS URLs requested by an HTTPS page? If this kind of security violation happens, every browser alerts the user, but I can't find an easy way to find what exact URLs cause the violation.

The easiest way I've found so far is to use Firefox, but even then it's still not very convenient. First, I can right-click, select View Page Info, click the Media tab, and scroll through a list of URLs. However, this seems to only list image files, not CSS or JS includes that can also cause the error. For those, I have to use the Firebug extension, select the Net tab, and manually hover my mouse over each item to see the entire URL. Unfortunately, this can take a while if you have dozens of media files. Is there a better way?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(12

梦纸 2024-10-19 12:26:10

如果您拥有该网站,则应该查看 Content- Security-Policy 标头选项。 其中可以包括 在资源上强制使用 HTTPS, 或自动尝试 将 HTTP 资源重定向到 HTTPS,等等。

值得注意的是,还有一个 report-uri 指令,用于密切相关的 Content-Security-Policy-Report-Only 标头,将 CSP 的任何违规行为报告到您选择的 uri。这意味着任何支持 1 report-uri 的浏览器都会持续向您发送有关您网站上存在 HTTPS 问题的页面的报告。 Mozilla 开发者网络有 处理报告的 PHP 示例


1 请注意,如果您可以合理预期任何完全支持 CSP(RO) 的浏览器都能访问相关页面,那么某些浏览器不支持也没关系为了它。

If you own the website, you should look into the Content-Security-Policy header options. These can include forcing HTTPS on resources, or automatically attempting to redirect HTTP resources to HTTPS, among other things.

Notably, there is also a report-uri directive for the closely-related Content-Security-Policy-Report-Only header that reports any infractions of your CSP to a uri of your choosing. This means that any browser with support1 for report-uri will send you reports of pages on your site with problematic HTTPS on an ongoing basis. Mozilla Developer Network has a PHP example of handling the reports.


1 Note that if you can reasonably expect any browser with full CSP(RO) support to hit the pages in question, it doesn't matter that some browsers do not have support for it.

怎会甘心 2024-10-19 12:26:10

我只是想记录一下当这个问题出现时我发生了什么。

突然我的域名显示“混合:不安全的项目”。我根本找不到原因。控制台仅显示正在请求的图像:http://www.example.com/,我在任何地方都找不到任何引用。

我搜索了又搜索,最终发现在 Chrome 的“安全”选项卡中,显示“不安全内容”的地方显示“在网络选项卡中显示”。当我点击它时,它再次向我显示错误的 URL,除了 Initiatior 列之外没有任何信息。它显示了图像 footer_bg.jpg

我想知道是否有人将代码注入到我的页脚背景图像中?事实证明没有,我昨天无意中移动了该图像并忘记了它。因此该页面请求的图像不存在,并返回错误。我修复了图像的链接,页面再次安全加载。

仅供将来可能遇到此问题的其他人使用。

I just want to leave a note about what happened to me when this problem arose.

Suddenly my domain showed 'Mixed: Insecure Items'. I couldn't find the cause at all. The console was just showing an image was being requested: http://www.example.com/, Which I could not find any reference to anywhere.

I searched and searched and eventually found that in the Security Tab of Chrome, Where it was displaying 'Insecure Content' it said 'Show in Network Tab'. When I clicked that, It was showing me the bad URL, again, with no information apart from the Initiatior column. It was showing the image footer_bg.jpg.

Had someone injected code into my footer background image I wondered? Turns out no, I had inadvertently moved that image yesterday and forgot about it. So the page was requesting an image that wasn't there, returning an error. I fixed the link to the image and page loads securely again.

Just for anyone else that will possibly have this problem in the future.

ヤ经典坏疍 2024-10-19 12:26:10

如果您想要对整个网站进行一次性、相当全面的递归扫描,您可以使用 Bramus 的 来自 CLI 的混合内容扫描。它不会检查补充 JS/CSS 中的链接,但它非常适合查找 3 年前实习生发布的危险非 SSL 脚本的帖子。

对于正在进行的解决方案,请参阅我的其他答案

If you want a one-shot, reasonably-comprehensive, recursive scan of an entire website, you can use Bramus's mixed-content-scan from the CLI. It won't check links in supplemental JS/CSS, but it's great for finding that one post that the intern from 3 years ago put up with a dangerous non-SSL script.

For an ongoing solution, see my other answer.

红ご颜醉 2024-10-19 12:26:10

使用 Burp Suite,将范围设置为您的网站,浏览到安全页面并检查发出了哪些请求您网站的 HTTP 版本。

Use Burp Suite, set up the scope as your website, browse to the secure page and check which request are made to HTTP version of your website.

入怼 2024-10-19 12:26:10

我们在内部网站上遇到了这个问题。资产中使用的 URL 都不是 HTTP 协议,但问题是我们在脚本标记中使用了不正确的 URL(也包含 HTTP 协议),这导致 MSEdge 使用 HTTP 方案进行回退,因为 HTTP 协议的 URL 无法被使用。达到了。修复错误的 URL 是我们的解决方案。

We encountered this on an internal site. None of the URLs used in the assets were with HTTP but the problem was that we used an incorrect URL (also with HTTPs) in script tag and that led MSEdge to use a fallback to use HTTP scheme, since the HTTPs URL couldn't be reached. Fixing the incorrect URL was the solution for us.

一念一轮回 2024-10-19 12:26:09

请注意,在最新版本的 Chrome 中,这些错误将显示在 Javascript 控制台中。

例如

The page at https://mysecuresite.com displayed insecure content from http://unsecuresite.com/some.jpg.

Note, in recent versions of Chrome, these errors will be displayed in the Javascript Console.

e.g.

The page at https://mysecuresite.com displayed insecure content from http://unsecuresite.com/some.jpg.
冷心人i 2024-10-19 12:26:09

尝试:www.WhyNoPadlock.com 它将为您提供任何 https 网页上所有不安全内容的报告。

Try: www.WhyNoPadlock.com It will give you a report of all insecure content on any https web page.

千年*琉璃梦 2024-10-19 12:26:09

您可以使用 SslCheck

这是一个免费的在线工具,可以递归地抓取网站(跟踪所有内部链接)并扫描不安全的内容 - 图像、脚本和CSS。

(免责声明:我是开发者之一)

You can use SslCheck

It's a free online tool that crawls a website recursively (following all internal links) and scans for unsecure content - images, scripts and CSS.

(disclaimer: I'm one of the developers)

猥琐帝 2024-10-19 12:26:09

我最近也遇到了同样的问题。使用Chrome的开发者工具,更容易找到。在开发者工具中,转到安全选项卡。在那里您可以找到所有非 HTTPS 请求。

屏幕截图开发者工具“安全”选项卡

I recently had the same issue. Using Chrome's Developer Tools, it was easier to find. In Developer Tools, go to the Security tab. There you can find all non-HTTPS requests.

Screenshot of the Developer Tools 'Security' tab

じее 2024-10-19 12:26:09

我在 javascript 中遇到了这个问题:

/* for Internet Explorer */
/*@cc_on @*/
/*@if (@_win32)
    document.write("<script id=__ie_onload defer src=javascript:void(0)><\/script>");
(.....)

应该避免 src=javascript:void(0)

使用 Fiddler 或 Chrome 无法发现此问题。

I had this problem which occurred in a javascript:

/* for Internet Explorer */
/*@cc_on @*/
/*@if (@_win32)
    document.write("<script id=__ie_onload defer src=javascript:void(0)><\/script>");
(.....)

The src=javascript:void(0) should be avoided.

You can not find this problem using Fiddler or Chrome.

压抑⊿情绪 2024-10-19 12:26:09

使用提琴手。

安全请求根本不会显示(HTTPS CONNECT 除外,它可以隐藏),因此您看到的一切都很糟糕。

Use Fiddler.

Secure requests won't show up at all (except as HTTPS CONNECTs, which can be hidden), so everything you'll see is bad.

随遇而安 2024-10-19 12:26:09

您可以检查 https://www.missingpadlock.com/

是一个在线工具,用于抓取您的网站以查找不安全的页面。

You can check https://www.missingpadlock.com/

Is a online tool for crawl your site for find insecure pages.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文