具有请求范围的隐藏参数是否会在应用程序中产生安全问题?
在我的应用程序中,我使用隐藏参数来存储成功和错误 URL。根据某些操作,页面将被重定向到成功或错误 URL。隐藏参数是请求范围内的。下面是来自浏览器的源代码片段。
<input value="success.jsp" type="hidden" name="successURL">
<input value="error.jsp" type="hidden" name="errorURL">
如果有人尝试更改隐藏参数并注入其他 URL,它只会影响该用户会话。当安全工具运行时,它们会报告隐藏参数的问题。但我不确定安全工具是否具有智能来检查参数的范围并确定哪些参数确实有害。该工具通常只会在隐藏参数中注入一些其他 URL,尝试查看网站是否正在被移动。但就应用程序而言,我认为具有请求范围的隐藏参数不会造成任何损害。
我不确定我的理解是否正确。
In my application I am using hidden parameters to store success and error URL. Depending on certain actions the page will be redirected to either success or error URL. The hidden parameters are request scoped. Below snippet of source code from browser.
<input value="success.jsp" type="hidden" name="successURL">
<input value="error.jsp" type="hidden" name="errorURL">
In case someone tries to change the hidden parameter and inject some other URL, it will affect only that users session. When security tools are run they are reporting the issue with hidden parameters. But I am not sure if the security tools have intelligence to check the scope of parameter and decide which parameters are really harmful. The tool will usually just inject some other URL in hidden parameters are try to see if the site is being moved. But as far as the application is concerned I feel hidden parameters with request scope will not create any harm.
I am not sure if my understanding is right.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这实际上取决于您的应用程序。
例如,假设恶意用户将 errorURL 更改为他拥有的服务器,并插入了错误修剪输入,您的应用程序可能会抛出异常,并且该异常的详细信息可能会发送到 errorURL,这将为恶意用户提供更多信息有关您的服务器和配置的信息使您的应用程序(和托管服务器)更容易受到攻击。
隐藏的输入需要经过深思熟虑。
This really depends on your appliction.
For instance, given a malicious user alters the errorURL to a server he owns and an error-prune input is inserted, your application will probably throw an exception and maybe the details of this exception are sent to the errorURL which will give the malicious user more information about your server and configuration making your application (and the hosting server) more vulnerable to attacks.
hidden inputs are to be very well thought through.