URL 中带有 .bat/.exe 的用户名 - 替代
[英]Usernames with .bat/.exe in the URL - alternative
问题描述
I am working with a URL which takes in the username for a GET call.
我正在使用一个 URL,它接受 GET 调用的用户名。 Ex: https://example.com/details/ < username >例如: https : //example.com/details/ <用户名>
However, if the username contains ".bat" or ".exe" (ex: mm.baty - https://example.com/details/mm.baty ), there might be some security issues.但是,如果用户名包含“.bat”或“.exe”(例如:mm.baty - https://example.com/details/mm.baty ),则可能存在一些安全问题。
What are some suggestions for sending the username through the URL, without compromising the security issues.在不影响安全问题的情况下,通过 URL 发送用户名有哪些建议?
Thank you for your help!感谢您的帮助!
1 个解决方案
解决方案1
0 2019-08-13 12:09:45
Assuming you're using query parameters (say /?username=userone ), anyone can modify the value and enter some malicious values as parameter.假设您正在使用查询参数(比如/?username=userone ),任何人都可以修改该值并输入一些恶意值作为参数。
You can implement a regex pattern that checks the params for potentially malicious values, and deal with the response accordingly.您可以实现一个正则表达式模式来检查参数是否存在潜在的恶意值,并相应地处理响应。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.