Watch your door.-Client Pass Data (3)-http information header

First of all, we need to state that this article is purely an ignorant insight of a little developer with no foresight and knowledge, and is only for reference in the security of web systems, and should not be used for illegal purposes.

1. Brief description

在互联网中，大量的数据通过URL参数的方式进行传递，大部分的数据，是没有通过加密进行传输。在我所了解到的情况，大部分的数据是通过明码进行…当然，现在大家都知道，URL参数，安全性不是特别高，于是http信息头（包含referer等属性）进入了大家的视野。

Referer is used to indicate where the browser indicates to the WEB server where it is coming from.

2. Views:

I do not know since when, compared to the direct URL parameters, many people think that the HTTP information header has a more powerful anti-gripping change ability. Many developers trust the values submitted by the cookie and HTTP headers, while strictly controlling the URL parameters.
This understanding is less comprehensive, because all data is exposed to anyone using the data interception proxy server.
HTTP headers are completely optional according to the w3.org standard. That is, the Referer attribute can also be changed.

3, HTTP information header Common Application scenarios

For example, there is a page to modify the user's password, this page must be administrator action.
We take it for granted that if we can judge that this page is from an administrator, then it is trustworthy and actionable.
For security reasons, we put this verification information in the URL, we put in the HTTP message, looks very tall.

4. Simple source code for authentication information via HTTP information header

http_accept.jsp

<%@ page language="java" import="java.util.*,javax.servlet.http.*" pageencoding=" UTF-8 "%><! DOCTYPE HTML PUBLIC "-//w3c//dtd HTML 4.01 transitional//en" ><html>  <head>    <title>Watch your door,-ah, classmate.</title>  </head>  <body>If not from the Super administrator, then I can not be accessed (super Administrator is from a page called admin.jsp, keep in the HTTP header of the Referer)<br>Address:<%= (String)request. GETREMOTEADDR ()%> <br>Coding:<%= (String)request. getcharacterencoding ()%> <br>    <%//Response. SetHeader ("Referer","admin.jsp"); enumeration<String> Reqheadinfos =Request. Getheadernames ();inti =0; while(Reqheadinfos.hasmoreelements ()) {StringHeadname = (String) reqheadinfos.nextelement ();StringHeadvalue =Request. GetHeader (Headname);//Gets the value of the corresponding request header based on the name of the request header Out.write (Headname +":"+ Headvalue); Out.write ("<br/>");if(Headname.equals ("Referer") && (Headvalue.equals ("admin.jsp"))) {i =1; Login Successful}} out.write ("<br/>"); Out.write ("
);if(i = =1) {Out.write ("Congratulations to the administrator, access to Success"); }Else{Out.write ("Not an administrator, please enter" from the Administrator page); } out.write ("); %> <br> </body></html>

Run: http://127.0.0.1:8080/webStudy/http_accept.jsp
Results:

If it's not from the Super admin, then I can't be accessed (super Admin is from a manager called admin. JSPReferer) Address of the page that remains in the HTTP header:127.0. 0. 1Code: nullHost:127.0. 0. 1:8080Connection:Keep-aliveAccept:Text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,*/*;q=0.8user-agent:mozilla/5.0(Windows NT6.1) applewebkit/537.36(khtml, like Gecko) chrome/34.0. 1847. 137safari/537.36Accept-encoding:gzip,deflate,sdchaccept-language:ZH-CN,ZH; q=0.8Cookies:Jsessionid=2B927E8B22425D29CB623BD35970CF08 is not an administrator, please enter from the admin page

Because I have direct access to the link, so there is no referer attribute, as if it looks good.

I also write a simple code validation:
http_visit.jsp

<%@ page language="java" import="java.util.*,javax.servlet.http.*" pageencoding=" UTF-8 "%><! DOCTYPE HTML PUBLIC "-//w3c//dtd HTML 4.01 transitional//en" ><html>  <head>    <title>Watch your door,-ah, classmate.</title>  </head>  <body>I'm not an admin, I'm just here for the cottage.<br>     <a href="http_accept.jsp">Point me to visit http_accept.jsp</a>  </body></html>

Visit: http://127.0.0.1:8080/webStudy/http_visit.jsp
Show:

If it's not from the Super admin, then I can't be accessed (super Admin is from a manager called admin. JSPReferer) Address of the page that remains in the HTTP header:127.0. 0. 1Code: nullHost:127.0. 0. 1:8080Connection:Keep-aliveAccept:Text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,*/*;q=0.8user-agent:mozilla/5.0(Windows NT6.1) applewebkit/537.36(khtml, like Gecko) chrome/34.0. 1847. 137safari/537.36Referer:/HTTP127.0. 0. 1:8080/webstudy/http_visit. JSPAccept-encoding:gzip,deflate,sdchaccept-language:ZH-CN,ZH; q=0.8Cookies:Jsessionid=703D6301DAC606173E0118D0DD35BEA1 is not an administrator, please enter from the admin page.

Among them, referer:http://127.0.0.1:8080/webstudy/http_visit.jsp
Exactly the link we just visited, very good. The test was successful. Julienne

5. Being attacked

Although the HTTP header is not displayed on the screen, it appears that the user cannot modify it. But all of the client's final operations are user-controlled and can be accessed directly by intercepting the proxy server to modify the data.

Watch your door.-Client Pass Data (3)-http information header