碼上歡樂
相關內容    簡體    繁體

使用被動混合內容的方式來跨越瀏覽器會阻斷HTTPS上的非安全請求(HTTP)請求的安全策略抓包詳解

本文轉載自   查看原文   2018-08-31 14:33   788    網絡/ php

/*通過傳入loginId在token中附加loginId參數,方便后續讀取指定緩存中的指定用戶信息*/

GET /multitalk/takePhone.php?loginId=4edc153568311361687793 HTTP/1.1

Host: txl.cytxl.com.cn
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: application/json, text/plain, */*
X-DevTools-Emulate-Network-Conditions-Client-Id: C8EFF1D4-1388-4532-914A-0CB01EF8606F
User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SM-N900T Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Content-Type: application/json;charset=utf-8
Referer: https://txl.cytxl.com.cn/html5/multi-party-call/index.html
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: PHPSESSID=qrdiaim3ql1s8m811tutf7k7d1

HTTP/1.1 200 OK
Date: Fri, 31 Aug 2018 02:38:41 GMT
Server: Apache
Content-Length: 373
Keep-Alive: timeout=30, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

{"code":0,"data":{"resultcode":"000","url":"http:\/\/www.cmpassport.com\/openapi\/getMobileAllR?ver=1.0&msgId=d41d8cd98f00b204e9800998ecf8427e&appId=000085&timestamp=20180831103841285&accessToken=2cb917bd01cef8704bb7c91df400273b&openType=0&message=&expandParams=multitalk%3D4edc153568311361687793&redirectUrl=https%3A%2F%2Ftxl.cytxl.com.cn%2Fapi%2FmobileR.php"},"msg":"ok"}

返回的url解碼后為:

http:\/\/www.cmpassport.com\/openapi\/getMobileAllR?ver=1.0&msgId=d41d8cd98f00b204e9800998ecf8427e&appId=000085&timestamp=20180831103841285&accessToken=2cb917bd01cef8704bb7c91df400273b&openType=0&message=&expandParams=multitalk=4edc153568311361687793&redirectUrl=https://txl.cytxl.com.cn/api/mobileR.php

/*https里通過加載靜態資源方式發起http請求,只能get方式,且接收不到http請求返回*/

GET /openapi/getMobileAllR?ver=1.0&msgId=d41d8cd98f00b204e9800998ecf8427e&appId=000085&timestamp=20180831103841285&accessToken=2cb917bd01cef8704bb7c91df400273b&openType=0&message=&expandParams=multitalk%3D4edc153568311361687793&redirectUrl=https%3A%2F%2Ftxl.cytxl.com.cn%2Fapi%2FmobileR.php HTTP/1.1
Host: www.cmpassport.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: image/webp,*/*;q=0.8
X-DevTools-Emulate-Network-Conditions-Client-Id: C8EFF1D4-1388-4532-914A-0CB01EF8606F
User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SM-N900T Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6

HTTP/1.1 302 Found
Server: nginx
Date: Fri, 31 Aug 2018 02:38:34 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Connection: keep-alive
Cache-Control: private
Expires: Thu, 01 Jan 1970 08:00:00 CST
Access-Control-Allow-Headers: *
Access-Control-Allow-Origin: *
Content-Language: zh
Vary: Accept-Language
Location: https://txl.cytxl.com.cn/api/mobileR.php?token=4fc02d4f5a1dfa8b45537d9c3a1d74c9

/*通過加載靜態資源方式發起的http請求,接收不到http返回值,通過redirectUrl回調地址臨時緩存處理*/

GET /api/mobileR.php?token=4fc02d4f5a1dfa8b45537d9c3a1d74c9 HTTP/1.1
Host: txl.cytxl.com.cn
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: image/webp,*/*;q=0.8
X-DevTools-Emulate-Network-Conditions-Client-Id: C8EFF1D4-1388-4532-914A-0CB01EF8606F
User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SM-N900T Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: PHPSESSID=qrdiaim3ql1s8m811tutf7k7d1

HTTP/1.1 200 OK
Date: Fri, 31 Aug 2018 02:38:42 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 100
Keep-Alive: timeout=30, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

/*通過loginId讀取緩存結果*/

GET /api/dfdh/mobileR.php?loginId=4edc153568311361687793 HTTP/1.1
Host: txl.cytxl.com.cn
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: application/json, text/plain, */*
X-DevTools-Emulate-Network-Conditions-Client-Id: C8EFF1D4-1388-4532-914A-0CB01EF8606F
User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; SM-N900T Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Content-Type: application/json;charset=utf-8
Referer: https://txl.cytxl.com.cn/html5/multi-party-call/index.html
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: PHPSESSID=qrdiaim3ql1s8m811tutf7k7d1

HTTP/1.1 200 OK
Date: Fri, 31 Aug 2018 02:38:42 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 98
Keep-Alive: timeout=30, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

{"code":0,"data":{"loginId":"4edc153568311361687793","mobileNumberMask":"139****2857"},"msg":"ok"}


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 Http請求頭安全策略 安全-burp-設置http和https代理,瀏覽器抓包和手機抓包 內容安全策略(CSP)詳解 毀人不倦-令人困惑的瀏覽器安全策略:同源策略 CSP內容安全策略 內容安全策略(CSP) fiddler 抓包 --IE 、谷歌瀏覽器抓取HTTPS請求 安全 - 內容安全策略(CSP)(未完) 談談HTTPS安全認證,抓包與反抓包策略 談談HTTPS安全認證,抓包與反抓包策略
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM