Web服务器如何检测重放的登录尝试？ [英] How can webservers detect replayed login attempts?

问题描述

当我将网络蜘蛛编码到特定网站时，我发现了一件奇怪的事情。

I found a strange thing when i'm coding a net-spider to a specific website.

我使用了fiddler和chrome（以及其他网络浏览器） ）登录网站（HTTP，而不是https）并获取发送和接收的所有包（以及cookie）:(
第一个包'Get'来请求登录页面和cookie，然后使用收到的cookie来请求验证码和其他一些图片。然后使用用户ID，密码和验证码向服务器和服务器响应发送登录请求，并提供正确的信息）

I used fiddler and chrome(as well as other web-browsers) to log-in a website(HTTP, not https) and get all package(as well as the cookie) that sent and received:( first package 'Get' to request the log-in page and the cookie, then use the cookie received to request verification code and some other pics. and then send login request with userid, password and verification code to server and server response with correct info)

然后我注销并清除所有缓存和Cookie并使用Fiddler中继（模拟）整个过程（因为我知道我应该发送的所有包的格式）：请求登录页面获取cookie，使用cookie来请求所有图片（包括auth代码图片），然后使用cookie和auth代码请求登录（用户ID和密码正确）...但是失败。

Then I log-out and Clear all Cache and Cookie and use Fiddler to Relay(Simulate) the whole process (Since I know all packages' format that i should send): request the log-in page to get cookie, use the cookie to request all pics( auth code image included), and then use the cookie and auth code to request login(userid and password are correct)...but failed.

I确定失败不是由无效的用户标识或密码引起的auth代码，我相信前端没什么特别的（html，脚本都经过检查），但是我很困惑服务器如何告诉我在后端使用浏览器 ..

I'm sure the failure is not caused by invalid userid or password or auth code, and i believe there is nothing special on the front-end(html,script are checked), but it puzzled me a lot how can the server tell i used browser or not in back-end..

我不是要求任何人解决具体问题。我只是想知道我所描述的任何人都有类似的问题吗？

I'm not request anybody to solve the specific problem. i'm just wanna know DOES ANYONE HAS HAD SIMILAR PROBLEM i described?

具体的网站并不重要，我必须说整个做法完全无害！我没有做任何黑客攻击，相反它会帮助一些人。

the specific website is not important and i must say the whole practice is completely harmless! i'm not doing any hacking stuff, on the contrary it will help some people.

================= =====================================
我终于找到了原因：登录页面有一个隐藏的输入（），我不小心忽略了，因为它的值每次都看起来几乎相同。如果我们模拟所有必需的HTTP请求包，则Web服务器无法检测重放的登录尝试。
谢谢你们〜

====================================================== I've finally figured out the reason: the log-in page has a hidden input() and i carelessly overlooked that since its value looks almost the same every time. Web server can not detect replayed log-in attempts if we simulated all necessary HTTP request packages. Thank you guys~

推荐答案

服务器无法神奇地判断他们是否在与Fiddler交谈。

Servers cannot magically tell whether they're talking to Fiddler or not.

如果Fiddler和您的客户端发送完全相同的请求，则表示相关服务器在其登录表单中使用一次性令牌（有时称为nonce）。如果服务器再次看到相同的令牌，则拒绝登录。有时nonce不是直接发送的，而是用于计算质询 - 响应，如NTLM等身份验证协议中所发生的。在其他情况下，nonce是CAPTCHA，这有助于防止您使用机器人自动登录到这样的网站。

If Fiddler and your client are sending the exact same requests, that means that the server in question is using a "one time token" (sometimes called a nonce) in its login form. If the server ever sees the same token again, it rejects the logon. Sometimes the nonce isn't sent directly, and is instead used in the computation of a "challenge-response" as occurs in authentication protocols like NTLM. In other cases, the nonce is a CAPTCHA, which helps prevent you from using a bot to automatically log in to a site like this.

除非您可以分享更多详细信息目标站点（或登录过程的SAZ文件），人们不太可能帮助你。

Unless you can share more details of the target site (or a SAZ file of the login process), it's unlikely that folks will be able to help you.

这篇关于Web服务器如何检测重放的登录尝试？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！