从非安全页面向安全URL提交表单 [英] Submitting a form to a secure url from a non-secure page
问题描述
假设我在此位置的网页上有一个表单...
Suppose I have a form on a page at this location...
http://mydomain.com/myform.htm
表格看起来像这样......
And the form looks like this...
<form method="post" action="https://secure.otherdomain.com/handleform.php">
....
</form>
假设服务器上安装了有效的SSL证书,并且收到此表单提交的内容表单提交是否已加密?
Assuming that there is a valid SSL cert installed on the server which receives this form submission will the contents of that form submission be encrypted?
推荐答案
POST请求将通过HTTPS传输(如果配置正确,则加密)。将通过纯HTTP获取的页面中的表单提交到HTTPS页面是不好的做法。初始页面也应该通过HTTPS提供。原因是MITM攻击者可以拦截使用表单加载页面的响应,并将链接替换为指向另一个目标。
The POST request will be transmitted over HTTPS (so encrypted if configured properly). Submitting a form from a page obtained over plain HTTP to an HTTPS page is bad practice. The initial page should also be served over HTTPS. The reason for this is that a MITM attacker could intercept the response that loads the page with the form and replace the link to point to another target.
请参阅此处的第一条规则(当然,不是特定于登录页面):
See the first rule here (of course, not specific to login pages):
- https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Use_TLS_for_All_Login_Pages_and_All_Authenticated_Pages
规则 - 对所有登录页面和所有经过身份验证的页面使用TLS
登录页面和所有后续经过身份验证的页面必须是通过TLS专门访问的
。初始登录页面(称为
登录登录页面)必须通过TLS提供。如果未能将
TLS用于登录登录页面,则攻击者可以修改登录
表单操作,从而将用户的凭据发布到
任意位置。登录后未能将TLS用于经过身份验证的页面
,攻击者可以查看未加密的会话ID
并破坏用户的身份验证会话。
The login page and all subsequent authenticated pages must be exclusively accessed over TLS. The initial login page, referred to as the "login landing page", must be served over TLS. Failure to utilize TLS for the login landing page allows an attacker to modify the login form action, causing the user's credentials to be posted to an arbitrary location. Failure to utilize TLS for authenticated pages after the login enables an attacker to view the unencrypted session ID and compromise the user's authenticated session.
这篇关于从非安全页面向安全URL提交表单的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
