You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@shenyu.apache.org by GitBox <gi...@apache.org> on 2022/10/14 02:48:01 UTC
[GitHub] [shenyu] ableYang123 opened a new issue, #4080: [BUG] When using post requests, you can add parameters after the url to crack signature authentication
ableYang123 opened a new issue, #4080:
URL: https://github.com/apache/shenyu/issues/4080
### Is there an existing issue for this?
- [X] I have searched the existing issues
### Current Behavior
When using post requests, you can add parameters after the url to crack signature authentication
### Expected Behavior
_No response_
### Steps To Reproduce
When I catch a correct request on the network
![image](https://user-images.githubusercontent.com/29156983/195748688-e25c42d7-2372-4d0a-bc7f-be5f0b825ad0.png)
I try to tamper with the parameter content, the program will report a signature error
![image](https://user-images.githubusercontent.com/29156983/195748794-91ef7efa-04d6-4a8c-a4c9-6ac2651671f9.png)
However, when I concatenate the previous parameters after the url, I can crack the parameter signature
![image](https://user-images.githubusercontent.com/29156983/195748894-63d541c6-70a3-4f18-9c72-d7345decafe0.png)
### Environment
```markdown
ShenYu version(s):2.5.0
```
### Debug logs
_No response_
### Anything else?
The problem here is that the parameter after the URL overrides the parameter with the same name in the request body
![image](https://user-images.githubusercontent.com/29156983/195742048-e6fb99f8-9c54-4a46-81d9-c3e6fe3fbad1.png)
should put the request header and url parameters on one map and the request body on the other
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@shenyu.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [shenyu] yunlongn commented on issue #4080: [BUG] When using post requests, you can add parameters after the url to crack signature authentication
Posted by GitBox <gi...@apache.org>.
yunlongn commented on issue #4080:
URL: https://github.com/apache/shenyu/issues/4080#issuecomment-1278987579
can you perfect him.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@shenyu.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [shenyu] ableYang123 commented on issue #4080: [BUG] When using post requests, you can add parameters after the url to crack signature authentication
Posted by GitBox <gi...@apache.org>.
ableYang123 commented on issue #4080:
URL: https://github.com/apache/shenyu/issues/4080#issuecomment-1279641921
OK,I trry
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@shenyu.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [shenyu] yunlongn commented on issue #4080: [BUG] When using post requests, you can add parameters after the url to crack signature authentication
Posted by GitBox <gi...@apache.org>.
yunlongn commented on issue #4080:
URL: https://github.com/apache/shenyu/issues/4080#issuecomment-1278984876
There is no way to prevent the user from entering the same parameter name in parameter and body.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@shenyu.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [shenyu] yu199195 closed issue #4080: [BUG] When using post requests, you can add parameters after the url to crack signature authentication
Posted by "yu199195 (via GitHub)" <gi...@apache.org>.
yu199195 closed issue #4080: [BUG] When using post requests, you can add parameters after the url to crack signature authentication
URL: https://github.com/apache/shenyu/issues/4080
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@shenyu.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org