You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@shenyu.apache.org by GitBox <gi...@apache.org> on 2022/10/14 02:48:01 UTC

[GitHub] [shenyu] ableYang123 opened a new issue, #4080: [BUG] When using post requests, you can add parameters after the url to crack signature authentication

ableYang123 opened a new issue, #4080:
URL: https://github.com/apache/shenyu/issues/4080

   ### Is there an existing issue for this?
   
   - [X] I have searched the existing issues
   
   ### Current Behavior
   
   When using post requests, you can add parameters after the url to crack signature authentication 
   
   
   ### Expected Behavior
   
   _No response_
   
   ### Steps To Reproduce
   
   When I catch a correct request on the network
   ![image](https://user-images.githubusercontent.com/29156983/195748688-e25c42d7-2372-4d0a-bc7f-be5f0b825ad0.png)
   
   I try to tamper with the parameter content, the program will report a signature error
   ![image](https://user-images.githubusercontent.com/29156983/195748794-91ef7efa-04d6-4a8c-a4c9-6ac2651671f9.png)
   
   However, when I concatenate the previous parameters after the url, I can crack the parameter signature 
   ![image](https://user-images.githubusercontent.com/29156983/195748894-63d541c6-70a3-4f18-9c72-d7345decafe0.png)
   
   
   ### Environment
   
   ```markdown
   ShenYu version(s):2.5.0
   ```
   
   
   ### Debug logs
   
   _No response_
   
   ### Anything else?
   
   The problem here is that the parameter after the URL overrides the parameter with the same name in the request body 
   ![image](https://user-images.githubusercontent.com/29156983/195742048-e6fb99f8-9c54-4a46-81d9-c3e6fe3fbad1.png)
   should put the request header and url parameters on one map and the request body on the other 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@shenyu.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [shenyu] yunlongn commented on issue #4080: [BUG] When using post requests, you can add parameters after the url to crack signature authentication

Posted by GitBox <gi...@apache.org>.

yunlongn commented on issue #4080:
URL: https://github.com/apache/shenyu/issues/4080#issuecomment-1278987579

   can you perfect him.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@shenyu.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [shenyu] ableYang123 commented on issue #4080: [BUG] When using post requests, you can add parameters after the url to crack signature authentication

Posted by GitBox <gi...@apache.org>.

ableYang123 commented on issue #4080:
URL: https://github.com/apache/shenyu/issues/4080#issuecomment-1279641921

   OK,I trry


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@shenyu.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [shenyu] yunlongn commented on issue #4080: [BUG] When using post requests, you can add parameters after the url to crack signature authentication

Posted by GitBox <gi...@apache.org>.

yunlongn commented on issue #4080:
URL: https://github.com/apache/shenyu/issues/4080#issuecomment-1278984876

   There is no way to prevent the user from entering the same parameter name in parameter and body. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@shenyu.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [shenyu] yu199195 closed issue #4080: [BUG] When using post requests, you can add parameters after the url to crack signature authentication

Posted by "yu199195 (via GitHub)" <gi...@apache.org>.

yu199195 closed issue #4080: [BUG] When using post requests, you can add parameters after the url to crack signature authentication 
URL: https://github.com/apache/shenyu/issues/4080


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@shenyu.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org