什么可能是shufflling我的查询字符串参数在JavaScript中构造? [英] What might be shufflling my query string parameters constructed in JavaScript?
问题描述
我提供了一个客户端JavaScript,在它所嵌入的页面上解析某些参数,使用这些参数构建一个URL,并使用该URL将iframe插入到页面中,如:
var queryParams = {
param:'foo'
,other:'bar'
};
变成:
< iframe src =http://example.net/iframes/123?param=foo&other=bar>< / iframe>
这很好,我每天发送大约150万个请求。然而,我最近注意到,在每天大约3.000个案例中,查询参数的值被混洗,所以这样得到了要求:
< iframe src =http://example.net/iframes/123?param=ofo&other=rba>< / iframe>
从日志来看,这是与特定用户绑定的,每个人都会重新发生字符混淆请求,所以当用户使用脚本浏览多个页面时,我可以看到像这样的序列:
108.161.183.122 - - [14 / Sep / 2015:15:18:51 +0000]GET / iframe / ogequl093iwsfr8n?param = 3a1bc2 HTTP / 1.0401 11601http://www.example.net/gallery?page=1 Mozilla / 5.0(Windows NT 6.1; WOW64; rv:40.0)Gecko / 20100101 Firefox / 40.0
108.161.183.122 - - [14 / Sep / 2015:15:19:07 +0000]GET / iframe / ogequl093iwsfr8n?param = a21b3c HTTP / 1.0401 11601http://www.example.net/gallery?page=2Mozilla / 5.0(Windows NT 6.1; WOW64; rv:40.0)Gecko / 20100101 Firefox / 40.0
108.161.183.122 - - [14 / Sep / 2015:15:19:29 +0000]GET / iframe / ogequl093iwsfr8n?param = ba132c HTTP / 1.0401 11601http://www.example。 net / gallery?page = 3Mozilla / 5.0(Windows NT 6.1; WOW64; rv:40.0)Gecko / 20100101 Firefox / 40.0
401正在发生,因为服务器期望 param = abc123 。
也注意到大多数错误发生在Firefox和Safari中,Google Chrome并没有要求单个错误的URL。
我用来转动对象的库到一个查询字符串是:查询字符串 - 但看看源代码我看不到任何潜在的错误在那里,没有什么是做的价值,这是不做的关键(这是不会搞砸)。
有没有人遇到过类似的东西?这是一个奇怪的浏览器扩展?这是我的脚本与另一个库扩展原型的碰撞吗?这是恶意软件吗?这是我完全不知道的东西吗?我很感激任何提示,因为我真的很无能,这真的让我疯狂。
编辑:我刚刚发现另一个我们公众面临的服务目前正在被称为打嗝套房。看看他们的网站,我看到他们有一个名为Payload fuzzing的工具,这个工具看起来很像这里描述的: https://portswigger.net/burp/help/intruder_gettingstarted.html 或这里: https:// portswigger.net/burp/help/intruder_using.html#uses_enumerating - 整个工具闻起来都是半腥的,所以我可能会进一步调查。有没有其他人听说过这个工具集?
正如我已经在这里提到 So this might be a long, long shot, yet I am completely stumped on what might be causing this issue: I am delivering a client side JavaScript, that parses certain parameters on the page where it is embedded, uses these parameters to construct a URL and inject an iframe using that URL into the page like: is turned into: This is working quite fine, I am delivering around 1.5 million requests per day. Yet I recently noticed that in around 3.000 cases per day the values of the query parameters are shuffled, so sth like this gets requested: Judging from the logs this is tied to specific users, and the jumbling of characters will happen anew on each request, so I can see sequences like this when a user is browsing the site with multiple pages using the script: The 401 is happening on purpose as the server expects I also noticed that the majority of errors is happening in Firefox and Safari, not a single erroneous URL has been requested by Google Chrome. The library I am using for turning the object into a query string is: query-string - but looking at the source code I cannot see any potential for a bug of that kind in there, there's nothing that is done to the values which is not done to the keys (which are not messed up). Has anyone ever encountered anything similar? Is this some weird browser extension? Is this a collision of my script with another library extending prototypes? Is this malware? Is this something I am completely unaware of? I'd be thankful for any hint because I am really clueless and this is really driving me crazy. EDIT: I just discovered that another of our public facing services is currently being probed by sth called "Burp Suite". Having a look at their website I see they have a tool called "Payload fuzzing" which seems to do pretty much what is described here: https://portswigger.net/burp/help/intruder_gettingstarted.html or here: https://portswigger.net/burp/help/intruder_using.html#uses_enumerating - The whole tool smells semi-fishy to me, so I this might be something worth investigating further. Has anyone else ever heard of this toolset? As I already mentioned here Google Analytics Event Permutation
there is a specific version (at least 1.0.37) of the Firefox add-on "Cliqz" having an anti-tracking-functionality built in. 这篇关于什么可能是shufflling我的查询字符串参数在JavaScript中构造?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
Firefox附加组件Cliqz的特定版本(至少1.0.37)内置反跟踪功能。 var queryParams = {
param: 'foo'
, other: 'bar'
};
<iframe src="http://example.net/iframes/123?param=foo&other=bar"></iframe>
<iframe src="http://example.net/iframes/123?param=ofo&other=rba"></iframe>
108.161.183.122 - - [14/Sep/2015:15:18:51 +0000] "GET /iframe/ogequl093iwsfr8n?param=3a1bc2 HTTP/1.0" 401 11601 "http://www.example.net/gallery?page=1" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
108.161.183.122 - - [14/Sep/2015:15:19:07 +0000] "GET /iframe/ogequl093iwsfr8n?param=a21b3c HTTP/1.0" 401 11601 "http://www.example.net/gallery?page=2" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
108.161.183.122 - - [14/Sep/2015:15:19:29 +0000] "GET /iframe/ogequl093iwsfr8n?param=ba132c HTTP/1.0" 401 11601 "http://www.example.net/gallery?page=3" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
param=abc123.
