[英]Web security - Preventing post requests from tools like fiddler
Using fiddler I can intercept an ajax post request and with request composer I can resend the same request, causing the server to respond it normally. 使用提琴手,我可以拦截ajax发布请求,而使用请求编辑器,我可以重新发送相同的请求,从而使服务器正常响应。 It doesnt matter if protocol is http or https (fiddler deciphers HTTPS traffic), with tools like Fiddler it is just possible. 协议是http还是https(fiddler解密HTTPS流量)都没有关系,使用Fiddler之类的工具是可能的。
On web applications side is it possible to understand or prevent such requests? 在Web应用程序方面,是否可以理解或阻止此类请求? How? 怎么样?
No. There's no way to prevent this. 不,没有办法防止这种情况。 URLs are meant to be accessed. URL是要访问的。 If it shouldn't be accessed, don't put it online or require some method of authentication. 如果不应该访问它,请不要将其联机或需要某种身份验证方法。 Some clients may pass an identifiable User-Agent header that can be restricted, and Fiddler probably does as well. 一些客户端可能会传递一个可识别的User-Agent标头,该标头可能会受到限制,Fiddler也可能会这样做。 However, the whole point of tools like Fiddler is to be able to make any type of custom request, which includes this User-Agent string. 但是,诸如Fiddler之类的工具的全部重点是能够发出任何类型的自定义请求,其中包括此User-Agent字符串。 So, even if you block the default User-Agent, there's nothing stopping the user of Fiddler from changing the User-Agent to something that won't be blocked. 因此,即使您阻止默认的User-Agent,也没有什么能阻止Fiddler的用户将User-Agent更改为不会被阻止的内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.