New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

【建议】避免删除功能等敏感操作接口直接运行 #41

Open

osxtest opened this issue Aug 15, 2021 · 0 comments

Labels

osxtest commented Aug 15, 2021

描述错误
一些 js 里可能会包含一些删除数据的接口，若这些接口刚好存在未授权，就可能导致数据误删。例如接口

https://foo.bar/Filter/delFilterById
https://foo.bar/comment/delete
https://foo.bar/product/delProductLine

建议

在 API提取 时添加黑名单关键词如 del, remove。可以多加些敏感操作的关键词，目的是宁可误报也不漏报
在 参数提取 时正常解析，但是不做任何发包与漏洞检测
最后报告输出时添加类似敏感操作接口解析的结果，让用户自行复制数据包测试，即使误报了也有数据保留

The text was updated successfully, but these errors were encountered:

rtcatc added the enhancement label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment