首页 新闻 搜索 专区 学院

form表单提交,扫描问题说有明文传输

0
悬赏园豆:10 [已解决问题] 解决于 2022-10-10 09:11

1.现象

  1. 老项目,用的jquery.
  2. validate.js,用于表单验证

我不明白,没用form表单的默认提交,也加密下发了,BurpSuip漏洞软件检测还是说项目,明文传输

$.validator.addMethod("required", function( value, element ) {
    if(value == ""){
        return false
    }
    return true
    }, "不能为空");

    $('#adminPwd_Settings').validate({
        rules: {
            name:{
                required:true,
                ...
            },
            pass:
            {
                required:true
            }
        },
        submitHandler: function(form)	{	Check();	}//验证通过后会执行,Check()
    });
});
function Check() {
    //用id获取值后加密
    var pass = $('#verifyPassword').val()
    //加密
    var enPass = AES(pass)
    // enPass发接口
}

下面是扫描结果

  • Issue detail
    The page contains a form with the following action URL, which is submitted over clear-text HTTP:
    http://192.168.10.1/Admin.html?_=1661766634589
  • The form contains the following password fields:
    OriginalPassword
    password_Admin
    verifyPassword

Request

GET /Admin.html?_=1661766634589 HTTP/1.1
Host: 192.168.10.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://192.168.10.1/SystemLog.html
Cookie: uid=Cpc3GyXXf2%3B%20secure%3B%20httponly

Response

HTTP/1.0 200 OK
Date: Thu Jan 1 08:15:25 1970
Server: GoAhead-Webs
Last-modified: Fri Aug 12 04:44:39 2022
Content-length: 25097
Content-type: text/html
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns= "http://www.w3c.org/1999/xhtml">

<head>
<title>..................</ti
...[SNIP]...
<!-- ------------------ general -------------------- -->
               <form name="adminpassword_Settings" id="adminpassword_Settings" method="POST" action="">
               <input id="sumbit_CheckData" class="submit" type="submit" value="Submit" style="display:none" />
...[SNIP]...
<td>
                           <input class="styled-text" type="password" name="OriginalPassword" id="OriginalPassword" autocomplete="new-password" size="63">
                       </td>
...[SNIP]...
<td>
                           <input class="styled-text" type="password" name="password_Admin" size="63" autocomplete="new-password" id="password_Admin" value="">
                           <span id="psdStrength">
...[SNIP]...
<td>
                           <input class="styled-text" type="password" name="verifyPassword" id="verifyPassword" autocomplete="new-password" size="63">
                       </td>
...[SNIP]...
要跑啊的主页 要跑啊 | 初学一级 | 园豆:196
提问于:2022-09-23 16:43

用不了https

要跑啊 2个月前
< >
分享
最佳答案
0

要申请一个证书,然后启用https
你这种加密,只是技术加密
不是传输方式加密

收获园豆:10
Giant150 | 小虾三级 |园豆:1154 | 2022-09-23 17:18
其他回答(3)
0

有没有一种可能是你的字段中包含了password关键字,你换成其他的时候,或者缩写

南宫懿痕-减肥20斤 | 园豆:237 (菜鸟二级) | 2022-09-23 17:07

试过了,将password改成pwd,还是有

支持(0) 反对(0) 要跑啊 | 园豆:196 (初学一级) | 2022-09-23 17:11
0

明文是指有可以阅读的东西,你再转也是字符吧。你要转成不能还原成字符的字节流。
是不是开https就可以了

ensleep | 园豆:1666 (小虾三级) | 2022-09-23 17:13
0

The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://192.168.10.1/Admin.html?_=1661766634589

这个英文是看不懂吗? 说的很明白了, 何不借助翻译软件先看看呢?
就是说, 你有表单, 但是http的. 要么去掉表单, 要么改为 https.

IginCui | 园豆:204 (菜鸟二级) | 2022-11-24 20:00
清除回答草稿
   您需要登录以后才能回答,未注册用户请先注册