通过 HTTPS 发送的密码可通过浏览器开发人员工具访问 [英] Password sent via HTTPS accessible via browser developer tools
问题描述
我有一个网站,通过 https 上的 ajax 调用完成用户登录.显然该请求包含密码.在使用 Firefox 开发人员工具时,我注意到我可以检查来自我的页面的任何网络请求,包括请求正文......还有我的密码.我认为该请求是通过 https 加密的,但开发人员工具仍将其显示为纯文本.我错过了什么吗?如果用户在公共机器上登录并忘记注销,任何人都可以使用开发人员工具获取他们的密码.预先感谢您提供的任何帮助.
I have a web site that accomplishes user login via ajax call over https. Obviously the request contains the password. Playing around with Firefox developer tools I noticed that I can inspect any network requests coming from my page including the request body ... and there is my password. I assume the request is being encrypted since its over https but the developer tools still shows it as plain text. Am I missing something? If a user logs in on a public machine and forgets to logout anyone can use developer tools to grab their password. Thanks in advance for any help you can provide.
-迈克
推荐答案
一切都是按设计运作的 –没什么不对的.
Everything is functioning by design – there's nothing wrong.
浏览器的开发工具旨在允许用户检查页面中发生的所有事情–没有那个功能,它们就毫无用处.开发工具的网络选项卡显示了加密之前的 HTTP 数据.
The browser's dev tools are intended to allow the user to inspect everything that's happening in the page – without that functionality, they'd be pretty useless. The dev tools' network tab shows HTTP data before it is encrypted.
在公机场景中,请记住开发工具只显示工具打开后发生的网络请求,因此攻击者不能在用户离开您的页面并查看明文身份验证后才打开开发工具请求.
In the public machine scenario, remember that the dev tools only show network requests that happened after the tools were opened, so an attacker can't just open the dev tools after the user leaves with your page up and see the plaintext auth request.
这篇关于通过 HTTPS 发送的密码可通过浏览器开发人员工具访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
