asp-classic - 如何在url中传递无法直接在url中执行的值参数?
问题描述
所以我有这个程序将通知值发送到其他页面并显示通知,但问题是你可以编辑 url 中的值,
If lngErrNo <> 0 Then
response.write "Error while update Product."
response.end
Else
v_strMsg = "Edit Kelipatan Jumlah Pesanan Berhasil!"
Response.Redirect "global_notification.asp?strMsg=" & v_strMsg
End If
问题是您可以在 url 中编辑 v_strMsg,例如 abc.com/global_notification.asp?strMsg= "anything you can edit the value here",显示页面如下所示
<body>
<table class="1" width=70% cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" background="images/bgtable.gif"><div align="left" class="fontwhiteheader13">
ATTENTION!!</div>
</td>
</tr>
<tr>
<td valign="top"><table width=100% height="360" cellpadding="2" cellspacing="2" bgcolor="white">
<tr>
<td align=center class="fontblueheader13"><%=Request.QueryString("strMsg")%>
</td>
</tr>
</table></td></tr></table>
</body>
任何可能的方式来发送值而不将其更改为 POST 方法?我尝试 htmlEncode 但 v_strMsg 仍然可以在 url 中编辑,有什么建议吗?
解决方案
您需要一个签名的 URL。
签名的 URL 包括一个数字签名,证明请求是由服务器生成的。
您需要做的第一件事是创建一个密钥:
' Generate your own key from:
' https://www.allkeysgenerator.com/Random/Security-Encryption-Key-Generator.aspx
Const secret_key = "G+KbPeShVmYq3s6v9y$B&E)H@McQfTjW"
在本例中,它是一个 256 位密钥。
您还需要一个哈希函数:
哈希.asp
<%
' Might as well store the secret key constant in this file:
Const secret_key = "G+KbPeShVmYq3s6v9y$B&E)H@McQfTjW"
Function Hash(ByVal Input, HashAlgorithm)
' Select the System.Security.Cryptography value.
Select Case uCase(HashAlgorithm)
Case "MD5"
HashAlgorithm = "MD5CryptoServiceProvider"
Case "SHA1"
HashAlgorithm = "SHA1CryptoServiceProvider"
Case "SHA2","SHA256"
HashAlgorithm = "SHA256Managed"
Case "SHA384"
HashAlgorithm = "SHA384Managed"
Case "SHA5","SHA512"
HashAlgorithm = "SHA512Managed"
Case Else
HashAlgorithm = "SHA1CryptoServiceProvider"
End Select
' Convert the input to bytes if not already.
If NOT VarType(Input) = 8209 Then
Dim utf8 : Set utf8 = Server.CreateObject("System.Text.UTF8Encoding")
Input = utf8.GetBytes_4(Input)
Set utf8 = Nothing
End If
' Perform the hash.
Dim hAlg : Set hAlg = Server.CreateObject("System.Security.Cryptography." & HashAlgorithm)
Dim hEnc : Set hEnc = Server.CreateObject("MSXML2.DomDocument").CreateElement("encode")
hEnc.dataType = "bin.hex"
hEnc.nodeTypedValue = hAlg.ComputeHash_2((Input))
Hash = hEnc.Text
Set hEnc = Nothing
Set hAlg = Nothing
End Function
%>
现在您已准备好使用数字签名对您的 URL 进行签名。
' Be sure to include "hash.asp"
' Your message:
v_strMsg = "Edit Kelipatan Jumlah Pesanan Berhasil!"
' A unix timestamp:
v_uts = DateDiff("s","1970-01-01 00:00:00",Now())
' NOTE: Your servers timezone should be set to UTC to generate a true unix timestamp,
' but it doesn't really matter, as long as "global_notification.asp" is on the same
' server, or a server set to the same timezone as the page you're generating the
' signature from.
' Now we create the signature as so:
v_signature = Hash(v_strMsg & v_uts & secret_key,"SHA256")
' Finally, redirect to "global_notification.asp"
Response.Redirect "global_notification.asp?strMsg=" & Server.URLEncode(v_strMsg) & "&ts=" & v_uts & "&signature=" & v_signature
重定向示例:
global_notification.asp?strMsg=编辑+Kelipatan+Jumlah+Pesanan+Berhasil%21&ts=1612794802&signature=61016c0a0460902cc4a19f092dcbb4fd818aa9c88d2631e087868253e73983da
现在验证签名global_notification.asp
:
<!--#include file = "hash.asp" -->
<%
Dim v_strMsg, v_uts, v_signature, v_uts_now
v_strMsg = Request.QueryString("strMsg")
v_uts = Request.QueryString("ts")
v_signature = Request.QueryString("signature")
' Do some basic validation first.
If v_signature = "" Then
Response.Write "Missing Signature"
Response.End()
ElseIf v_uts = "" Then
Response.Write "Missing Timestamp"
Response.End()
ElseIf NOT Len(v_signature) = 64 Then
Response.Write "Invalid Signature"
Response.End()
ElseIf NOT (IsNumeric(v_uts) AND Len(v_uts) = 10) Then
Response.Write "Invalid Timestamp"
Response.End()
End If
' Validate the signature. To do this, we simply recreate what we're expecting the signature
' to be, and compare it to the one being passed.
If NOT Hash(v_strMsg & v_uts & secret_key,"SHA256") = v_signature Then
Response.Write "Invalid Signature"
Response.End()
End If
' Now let's set an expiration period for the link, say 30 seconds? (or 86400 seconds for a day, 604800 for a week etc).
v_uts = Int(v_uts) + 30
v_uts_now = DateDiff("s","1970-01-01 00:00:00",Now())
If v_uts_now >= v_uts Then
Response.Write "Expired Link"
Response.End()
End If
' At this point, everything is good.
' Go ahead and display the message:
%>
<body>
<table class="1" width="70%" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" background="images/bgtable.gif"><div align="left" class="fontwhiteheader13"> ATTENTION!!</div></td>
</tr>
<tr>
<td valign="top"><table width="100%" height="360" cellpadding="2" cellspacing="2" bgcolor="white">
<tr>
<td align=center class="fontblueheader13"><%=v_strMsg%></td>
</tr>
</table></td>
</tr>
</table>
</body>
现在,如果您尝试更改消息(或时间戳),您将收到Invalid Signature
错误消息。生成有效工作链接的唯一方法是知道密钥,这当然是隐藏的。
推荐阅读
- python - Asnycpg PostgreSQL 连接问题
- arrays - 如何在 mongoDB 中更新嵌套数组
- r - 将匹配 NA 的 df 的字符行与所有内容进行比较,并根据比较创建新列或 df
- mongodb - 我无法安装 mongodb: E: Unable to locate package mongodb-org
- reactjs - 输入框中的奇怪错误值未显示
- javascript - 过滤数组以返回深层对象
- swift - 如何使视频循环 Swift
- javascript - 将数组转换为带有一些特殊键的对象的最佳方法是什么,例如带有打字稿的 x 和 y?
- batch-file - 如何将文件打包成同名但后缀不同的 ZIP 文件?
- reactjs - 如何在 React js 中使用 mxgraph 创建调整大小的元素