- 浏览: 1031104 次
- 性别:
- 来自: 上海
文章分类
- 全部博客 (675)
- ios (214)
- android-course (5)
- unity3d (7)
- cocos2d (36)
- html5 (3)
- game (5)
- android (42)
- java (57)
- php (12)
- 创业 (10)
- SEO (3)
- 架构 (2)
- 数据库 (3)
- 产品设计 (9)
- 操作系统 (10)
- Web前端 (11)
- 其他 (50)
- GAE (1)
- mac os (8)
- Open Source (2)
- 序列号 (10)
- C (2)
- database (2)
- 算法 (6)
- 设计模式 (1)
- photoshop (1)
- 3dmax (1)
- maya (1)
- opengl (3)
- 游戏设计 (1)
- 趋势 (1)
- cocos2d-x (4)
- shell (3)
- c++ (30)
- lua (5)
- flash (1)
- spring (3)
- mysql (4)
- Git (6)
- xmpp (1)
- cocos2dx (14)
- mac (2)
- 编程规范 (2)
- windows (1)
- linux (5)
- coocs2dx (1)
- ubuntu (2)
- aws (1)
- OPENGLES (1)
- 原画 (1)
最新评论
-
jlees:
Best mobile app testing tool pc ...
iOS + XCode 4 + GHUnit = Mobile TDD+Continuous testing -
ipanda:
楼主,能否给一个Micro CloudFoundry的虚机或者 ...
Cloud Foundry使用及开发向导 -
love_zongming:
谢谢分享。。
visio2007序列号 -
雨花台舞水:
你这才是枪文把
套在 360 黑匣子外面的黑盒子:你被技术型枪稿吓到了么? -
hugh.wang:
改天试试
Mac版魔兽争霸3 1.24e下载
A common question we hear is “Can parameters be safely passed in URLs to secure web sites? ” The question often arises after a customer has looked at an HTTPS request in HttpWatch and wondered who else can see this data.
For example, let’s pretend to pass a password in a query string parameter using the following secure URL:
https://www.httpwatch.com/?password=mypassword
HttpWatch is able to show the contents of a secure request because it is integrated with the browser and can view the data before it is encrypted by the SSL connection used for HTTPS requests:
If you look in a network sniffer, like Network Monitor, at the same request you would just see the encrypted data going backwards and forwards. No URLs, headers or content is visible in the packet trace::
You can rely on an HTTPS request being secure so long as:
- No SSL certificate warnings were ignored
- The private key used by the web server to initiate the SSL connection is not available outside of the web server itself.
So at the network level, URL parameters are secure, but there are some other ways in which URL based data can leak:
-
URLs are stored in web server logs - typically the whole URL of each request is stored in a server log. This means that any sensitive data in the URL (e.g. a password) is being saved in clear text on the server. Here’s the entry that was stored in the httpwatch.com server log when a query string was used to send a password over HTTPS:
2009-02-20 10:18:27 W3SVC4326 WWW 208.101.31.210 GET /Default.htm password=mypassword 443 ...It’s generally agreed that storing clear text passwords is never a good idea even on the server.
-
URLs are stored in the browser history – browsers save URL parameters in their history even if the secure pages themselves are not cached. Here’s the IE history displaying the URL
parameter:Query string parameters will also be stored if the user creates a bookmark.
-
URLs are passed in Referrer headers – if a secure page uses resources, such as javascript, images or analytics services, the URL is passed in the Referrer request header of each embedded request. Sometimes the query string parameters may be delivered to and stored by third party sites. In HttpWatch you can see that our password query string parameter is being sent across to Google Analytics:
Conclusion
The solution to this problem requires two steps:
- Only pass around sensitive data if absolutely necessary. Once a user is authenticated it is best to identify them with a session ID that has a limited lifetime.
- Use non-persistent, session level cookies to hold session IDs and other private data.
The advantage of using session level cookies to carry this information is that:
- They are not stored in the browsers history or on the disk
- They are usually not stored in server logs
- They are not passed to embedded resources such as images or javascript libraries
- They only apply to the domain and path for which they were issued
Here’s an example of the ASP.NET session cookie that is used in our online store to identity a user:
Notice that the cookie is limited to the domain store.httpwatch.com and it expires at the end of the browser session (i.e. it is not stored to disk).
You can of course use query string parameters with HTTPS, but don’t use them for anything that could present a security problem. For example, you could safely use them to identity part numbers or types of display like ‘accountview’ or ‘printpage’, but don’t use them for passwords, credit card numbers or other pieces of information that should not be publicly available.
发表评论
-
Mac上安装Protocol Buffers
2016-09-18 11:29 8191.下载文件 (http://code.google.com ... -
webview点击获取图片
2016-04-01 17:12 827UILongPressGestureRecognizer * ... -
hexo 自动部署脚步
2016-03-29 21:17 932echo "===============star ... -
自定义navigationItem.leftBarButtonItem后,系统默认的手势滑动失效解决方案
2016-03-01 18:01 1280自定义navigationItem.le ... -
UITextView autolayout 高度自适应
2016-02-15 23:26 1413UITextView *t = [[UITextView ... -
腾讯敏捷框架TAPD》研究
2015-11-19 20:47 1420这篇文档是研究心得 ... -
ios image 压缩
2015-11-06 12:09 837- (UIImage *)_scaleToSize:(UII ... -
iphone分辨率图解
2015-11-04 17:33 565iphone分辨率图解 -
IOS中获取各种文件的目录路径的方法
2015-09-24 12:10 647iphone沙箱模型的有四个文件夹,分别是什么,永久数据存储 ... -
Customizing Navigation Bar and Status Bar in iOS 7
2015-08-17 20:23 1606Like many of you, I have been ... -
GCD 深入理解:第一部分
2015-07-24 14:49 767本文翻译自 http://www.raywenderlich ... -
Android监听键盘是否弹出,以及获取软键盘的高度
2015-07-02 19:31 1493网上介绍过监听键盘是否弹出的方法,我自己也是尝试过,不是 ... -
Mac上的抓包工具Charles
2015-05-06 01:09 5316Mac上的抓包工具Charles 分类: IO ... -
如何移除发布版本中的NSLog输出
2015-05-04 20:27 749Phone开发中会经常使用NSLog将一些运行信息输出到终端 ... -
linux安装android NDK
2015-04-20 19:14 1905Error:Execution failed for ta ... -
android studio 添加项目修改gradle2.2.3
2015-04-20 15:22 16041.build.gradle(Module:app) 去除对 ... -
xcode4的环境变量,Build Settings参数,workspace及联编设置
2015-03-27 11:23 925一、xcode4中的环境变量 $(BUILT_PROD ... -
数字签名是什么?
2014-11-25 16:58 616http://www.ruanyifeng.com/blog/ ... -
让你的Xcode更加高效
2014-10-29 00:16 518http://www.tairan.com/archives/ ... -
Android.mk无需手动添加cpp文件(cocos2d-x 3.2正式版)
2014-09-11 14:41 1026LOCAL_PATH := $(call my-dir) ...
相关推荐
《Strings字符串分析工具详解》 在计算机领域,字符串分析是一个重要的技术手段,尤其在病毒分析、逆向工程和软件调试中扮演着不可或缺的角色。Strings工具就是这样一个强大的实用程序,它能够从二进制文件中提取出...
1、此程序用来比较2个Strings.xml中name的不同项,并打印出来; 2、使用前,请先将两个String.xml重命名为:strings_en.xml(英文或其他语言)和strings_zh.xml(中文); 3、此程序是通过strings_zh.xml去检索...
Commonly exploited software vulnerabilities are usually caused by avoidable software defects. Having analyzed tens of thousands of vulnerability reports since 1988, CERT has determined that a ...
"Strings.exe"是一款在Windows操作系统环境下广泛使用的实用程序,它主要功能是用于从二进制文件(如可执行文件、库或数据文件)中提取连续的ASCII或Unicode字符序列,即字符串。这个工具对于系统管理员、软件开发者...
`Standard Date and Time Format Strings_files`、`Standard Numeric Format Strings_files`、`Custom Date and Time Format Strings_files`和`Custom Numeric Format Strings_files`这些文件夹可能包含支持上述网页...
ns_strings_zh.xml
Instead, strings in C are typically represented as arrays of characters terminated by a null character (`\0`). While this approach works, it lacks the convenience and functionality found in other ...
在Android应用开发中,为了支持多种语言环境,开发者通常需要创建多个`strings.xml`文件,分别对应不同的语言,如英语、简体中文、繁体中文等。这些文件存储在项目的`res/values`目录下,用于定义应用中的文本资源。...
ns_strings_zh_storyline.xml
通过静态分析来最大程度上的获取PE文件的信息,从而帮助我们了解其行为动态和作用方式,
北京大学的在线编程平台POJ上有一道题目名为“Surprising Strings”(POJ 3096),这是一道考察算法思维和编程能力的题目。在本篇解题报告中,我们将深入探讨该问题的背景、问题分析、解决方案以及实现代码,同时也...
String algorithms are a traditional area of study in computer science. In recent years their importance has grown dramatically with the huge increase of electronically stored text and of molecular ...
如何在Blazor WebAssembly中使用查询字符串 此存储库包含 Code Maze 上的“How to Use Query Strings in Blazor WebAssembly”文章的源代码
在Android开发中,"strings"是一个非常关键的概念,它涉及到应用程序中的文本管理和国际化。本文将深入探讨`strings.xml`文件及其在Android应用开发中的作用,同时也会提及与之相关的`colors.xml`文件。 首先,`...
name=luke&job=devimport { allQueryStrings, queryString } from 'get-query-strings'const params = allQueryStrings()const params2 = allQueryStrings('?a=1&b=2')const name = queryString('name'),const name2...
strings_zh.xml
Windowed subsequence matching over deterministic strings has been studied in previous work in the contexts of knowledge discovery, data mining, and molecular biology. However, we observe that in these...
本文档包准确,iPhone越狱后修改滑动解锁损坏SpringBoard.strings文件修复,此文件适用于ios7.1.2原生
在Android开发中,`strings.xml` 文件是存储应用中各种字符串资源的重要地方,它使得文本内容的管理和国际化变得更为方便。本示例将探讨如何从`strings.xml` 文件中读取包含HTML标签的字符串,并在Android应用中正确...
This is a collection of GUIs meant to serve either to answer specific questions about writing GUIs or as a ...1.How do I manipulate the strings in a uicontrol? GUI_1, 2, 4, 5, 13, 14, 15, 20, 21, 22, 3