此 JSON 響應是否存在安全漏洞?
[英]Any security vulnerabilities with this JSON response?
問題描述
我必須更新某個網頁上的表單才能更改我想要的內容。 我沒有這樣做,但他們沒有發送一個簡單的文本回復說“這不能工作”,而是在顯示器上發送了整個 JSON 響應。 我只是好奇,此響應是否對我或我聯系以處理我的請求的服務器構成任何安全漏洞?
PS 回復中的“***”是這樣的,因為我不確定提供該信息是否正確。 然而,即使沒有它,響應也相當直觀。
這是回應:
{"name":"StatusCodeError","statusCode":409,"message":"409 - [object Object]","error":{"status":"failure","message":"電子郵件已被接收。 ","code":91,"data":null,"error":{"message":"None"}},"options":{"uri":"*********", "method":"POST","headers":{"Authorization":"Bearer *********=","Cookie":"*********=;cm_sub=denied ","User-Agent":"********","Accept-Language":"en-US","Original-Accept-Language":"********", "X-********-InstallId":"*****","X-*****-AppState":"active","X-*****-Parent- Rid":"********","X-*****-Root-Rid":"********","X-*****-Rid" :"*****","X-Pixel-Ratio":1,"X-*****-App-Type":5,"X-Prefer-User-Locale":"1"," X-Real-Ip":"********","X-*****-Real-Ip":"*****","X-*****-Csrf ":"********","X-*****-已安裝瀏覽器擴展":"false","X-********-Referrer":"* *******","X-Bot":"false","X-Referrer":"********","X-Url":"******* *"},"form":{"base_scheme":"https","client_id":1431601,"timestamp":*****,"country":"US","email":"**** *","oauth_signature":"********"},"traceId":false,"parseJson":true,"resolveWit hFullResponse":true,"json":true,"simple":true},"response":{"statusCode":409,"body":{"status":"failure","message":"*** *****","code"********,"data":null,"error":{"message":"None"}},"headers":{"server":" nginx","date":"Sun, 10 Mar 2019 16:08:31 GMT","content-type":"application/json","content-length":"112","connection":"close" ,"*****-version":"*****","x-content-type-options":"*****","x-frame-options":"拒絕"," *****-generated-by":"********"},"request":{"uri":{"protocol":"http:","slashes":true,"auth ":null,"host":"*****","port":"*****","hostname":"localhost","hash":null,"search":null,"query ":null,"pathname********","path":"/v3/users/settings/","href":"********"},"method": "POST","headers":{"Authorization":"********","Cookie********","User-Agent":"Mozilla/5.0 (Windows NT) 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/******** Safari/537.36","Accept-Language":"en-US","Original-Accept-Language":"en-US ,en;q=0.9","X-*****-InstallId":"********","X-*****-AppState":"active","X- *****-Parent-Rid":"********","X-*****-Root-Rid":"************* ","X-*****-Rid":"*****","X-Pixel-Ratio":1,"X-*****-App-Type":5,"X -Prefer-User-Locale":"1","X-Real-Ip":"*****","X-*****-Real-Ip":"******* *","X-********-Csrf":"********","X-*****-已安裝瀏覽器擴展":"false"," X-********-Referrer":"*************","X-Bot":"false","X-Referrer":"*** *****","X-Url":"********","content-type":"application/x-www-form-urlencoded","accept":"application/json ","content-length":179}}}}
1 個解決方案
解決方案1
1 已采納 2019-03-12 13:28:08
這是我從這個服務器響應中學到的。 我注意到的第一件事是您的協議正在使用 http。
“協議”:“http:”
HTTP 是一種明文和未加密的通信形式。 這一點很重要,因為如果有人正在嗅探您的流量,他們將能夠讀取您在此處發布的傳輸(沒有 ***** 阻止敏感數據)。
我注意到的下一件事是您的授權令牌。
"授權":"承載者*********="
鑒於該消息是明文形式,攻擊者將能夠竊取您的令牌。 使用此令牌,攻擊者可以作為授權用戶與服務器通信,獲得對私人信息的訪問(並可能有能力修改)。
另一方面,因為我們假設攻擊者已經嗅探了您未加密的流量。 他們還可以記下您客戶的計算機/瀏覽器信息:
"User-Agent":"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/******** Safari/537.36"
從這些信息中,攻擊者可以了解到客戶端使用的是 Windows 8.1 以及客戶端計算機上安裝了哪些瀏覽器/版本。 使用這些系統規范,攻擊者可以對客戶端的計算機發起有針對性的攻擊(尤其是當您的操作系統或瀏覽器版本過時/不安全時)。
因此,要回答您的問題,是的,客戶端和服務器都存在安全漏洞。
但是,簡單地從 HTTP 切換到 HTTPS 會在限制您的暴露方面產生很大的不同。
是否有任何開放源代碼解決方案可以可視化Box API的JSON響應?
[英]Any open source solutions to visualize box api's json response?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.