Shulou(Shulou.com)06/02 Report--

How to understand the firewall and learning Content-Type, I believe that many inexperienced people are helpless about this, this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

background

When the project was launched in School B, the same function was fine in School A. After clicking on the front end of School B, the backend did not receive the request.

preliminary analysis

1. Make sure it's the same code.

2. Verify that the correct server is accessed

3. Confirm that the application server received the request

4. Confirm whether the reverse proxy server received the request

5. Grab the package and see if the request is issued (actually, there is no doubt about this)

After the above four steps are completed, the conclusion is that the code is the same, the server is correct, and neither the reverse proxy server nor the application server has received the request.

Preliminary diagnosis

Suspicion is that the firewall of School B blocked the request, so there are two possible solutions:

1. Find a school to open a firewall and set up a white list

2. Find a way around firewall rules.

But one has to ask why firewalls block murs, because there are many things in our asynchronous submissions.

Rich text tags, etc. This should be the policy set by the firewall to prevent XSS attacks, and thus intercept the request.

Because things were urgent, and no one cooperated with the school holiday, only try to use the second point first.

resolution process

I haven't been exposed to XSS attacks before, so I don't know much about firewall interception strategy. Next, I tried to submit the test using mutipart/formdata in POSTMAN, and it was successful.

Find the breach, then ask the frontend to change Content-Type=mutipart/formdata in the default submission request header, and then use FormData to construct the form submission in VUE.

This bypasses the firewall, online OK

summary

Different schools have different firewall strategies, so developers need to supplement WEB security-related knowledge points, preferably the company's CTO. After learning and sorting out, the company makes a set of best practices for specific industry status quo.

Through this practice, I learned about the request information of Content-Type multipart/formdata and x-www-form-urlencode respectively.

x-www-form-urlencode

By default, html form enctype=application/x-www-form-urlencoded. Some frameworks, such as Jquery Vue, default to Ajax submissions of this type.

Application/x-www-form-urlencoded refers to the submission of the form and urlencodes the submitted data. By default, all our form submissions are implemented in this default way, as shown in the figure:

You can see that Chinese is encoded, but it does not encode special characters, such as < &. This can lead to XSS-store attacks or SQL injection attacks. So the firewall is right to intercept it. Therefore, when writing front-end code, the input needs to be verified, such as e-mail, birthday, age, XSS FILTER where the text is used to filter, etc., and the back-end also needs to be verified, because the front-end is easy to bypass. For XSS-attack, you can go to Ali-Chief Security Architect-Wu Hanqing's book "White Hat Talk WEB Security"

multipart/form-data

If we want to upload files in the form, we will generally set the enctype parameter of the form to multipart/form-data. Some frameworks, such as Ajax submission of Jquery Vue, can also set Content-Type. This method only supports POST requests.

In the case of Contype-Type=multipart/form-data, the original POST data is segmented by a special string.

We can see the type of Content-type in the request below

Separator starts with: ---WebKitFormBoundaryM2jFeC5L7hYjAqxZ

Separator ends with: ----WebKitFormBoundaryM2jFeC5L7hYjAqxZ--

There's more "--"

In this way we submit rich text to the backend and write it to the database. However, to avoid XSS attacks, both front-end and back-end code can use third-party plug-ins to scan file contents or VALUE values.

application/json

Yes, we submit the json string to the backend through the http body, and the springmvc backend directly uses @requestBody to receive it. This is also a way that is often used, and there is nothing special about it. Parameter content also needs to be filtered to prevent XSS attacks.

VUE protects against XSS attacks

The vue front-end framework provides a way to prevent XSS attacks, which can be consulted online.

After reading the above content, do you know how to understand the Content-Type method learned by firewall? If you still want to learn more skills or want to know more related content, welcome to pay attention to the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.