form表单提交,扫描问题说有明文传输
0
悬赏园豆:10
[已解决问题]
解决于 2022-10-10 09:11
1.现象
- 老项目,用的jquery.
- validate.js,用于表单验证
我不明白,没用
form表单的默认提交,也加密下发了,BurpSuip漏洞软件检测还是说项目,明文传输
$.validator.addMethod("required", function( value, element ) {
if(value == ""){
return false
}
return true
}, "不能为空");
$('#adminPwd_Settings').validate({
rules: {
name:{
required:true,
...
},
pass:
{
required:true
}
},
submitHandler: function(form) { Check(); }//验证通过后会执行,Check()
});
});
function Check() {
//用id获取值后加密
var pass = $('#verifyPassword').val()
//加密
var enPass = AES(pass)
// enPass发接口
}
下面是扫描结果
- Issue detail
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://192.168.10.1/Admin.html?_=1661766634589 - The form contains the following password fields:
OriginalPassword
password_Admin
verifyPassword
Request
GET /Admin.html?_=1661766634589 HTTP/1.1
Host: 192.168.10.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://192.168.10.1/SystemLog.html
Cookie: uid=Cpc3GyXXf2%3B%20secure%3B%20httponly
Response
HTTP/1.0 200 OK
Date: Thu Jan 1 08:15:25 1970
Server: GoAhead-Webs
Last-modified: Fri Aug 12 04:44:39 2022
Content-length: 25097
Content-type: text/html
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns= "http://www.w3c.org/1999/xhtml">
<head>
<title>..................</ti
...[SNIP]...
<!-- ------------------ general -------------------- -->
<form name="adminpassword_Settings" id="adminpassword_Settings" method="POST" action="">
<input id="sumbit_CheckData" class="submit" type="submit" value="Submit" style="display:none" />
...[SNIP]...
<td>
<input class="styled-text" type="password" name="OriginalPassword" id="OriginalPassword" autocomplete="new-password" size="63">
</td>
...[SNIP]...
<td>
<input class="styled-text" type="password" name="password_Admin" size="63" autocomplete="new-password" id="password_Admin" value="">
<span id="psdStrength">
...[SNIP]...
<td>
<input class="styled-text" type="password" name="verifyPassword" id="verifyPassword" autocomplete="new-password" size="63">
</td>
...[SNIP]...
最佳答案
2
要申请一个证书,然后启用https
你这种加密,只是技术加密
不是传输方式加密
收获园豆:10
其他回答(3)
1
有没有一种可能是你的字段中包含了password关键字,你换成其他的时候,或者缩写
试过了,将password改成pwd,还是有
0
明文是指有可以阅读的东西,你再转也是字符吧。你要转成不能还原成字符的字节流。
是不是开https就可以了
0
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://192.168.10.1/Admin.html?_=1661766634589
这个英文是看不懂吗? 说的很明白了, 何不借助翻译软件先看看呢?
就是说, 你有表单, 但是http的. 要么去掉表单, 要么改为 https.
用不了https
– 要跑啊 2年前