这些请求来自哪里?

时间:2016-07-06 21:03:33

标签: http

我使用fiddler来分析网站的请求。以下GET

GET https://tss.sfs.db.com/websso/sso_FallThrough.sso?Xe47eKuUc4rm2LW9V1BHSzU1....

返回

HTTP/1.1 302 Found
Date: Wed, 06 Jul 2016 16:13:19 GMT
Server: dweb
Set-Cookie: CTSESSION=AAAAAQABAHid6vs1jduDPC1Q9ItYbjKC6Ih4bImKPTYYA6fOLowLvtT%2FsUj%2F2o7kl4ovRmo8qfOQjQgx%2B%2BQL6%2F6sspncrVYJOc62ijGMQ67Z9L%2FaklW42jLwx6BzfN2BUAiw5fU4lemLzDDlX0pGSNY1kXVCaqOS5UlOX8z62hA%3D; domain=tss.sfs.db.com; path=/; Secure; HttpOnly
Location: /investauthenticated/servlet/web/Web?document=index
Content-Length: 235
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="/investauthenticated/servlet/web/Web?document=index">here</a>.</p>
</body></html>

Location标题会将其重定向到

GET https://tss.sfs.db.com/investauthenticated/servlet/web/Web?document=index

响应是

HTTP/1.1 200 OK
Date: Wed, 06 Jul 2016 16:13:19 GMT
Server: dweb
Content-Length: 1500
Set-Cookie: JSESSIONID=r73A_C0735ZlDXOeMyM7w9hSgnkMUHloIm3qIdgMKkHZ3KSPi30f!-828505221; path=/; HttpOnly
DB-Nickname: VTJGc2RHVmtYMStCbW4yYnlaQ2Ywei9pRHlENzd3aHFQYlhVNWZSbXFJUT0=
X-DB-NAR: 26564-1
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0" encoding="ISO-8859-1"?><?xml-stylesheet type='text/xsl' href='/stylesheets/application_internet.xsl'?><application servleturi="/investauthenticated/servlet/web/Web">
<menu href="Web?document=menu"/>
<clock href="/html/invest/clock.html"/>
<main href="Web?document=viewPortfolio&amp;portfolio=my">View All</main>
<headerlink class="blue_11" href="https://www.tss.db.com" style="margin-left:196px" target="root">TSS Home</headerlink>
<headerlink class="blue_11" href="http://www.db.com/index_e.htm" target="root">DB Home</headerlink>
<headerlink class="blue_11" href="Web?document=home" target="main">Home</headerlink>
<headerlink class="blue_11" href="Web?document=Contact" target="main">Contacts</headerlink>
<headerlink class="blue_11" href="/html/invest/FAQS.html" target="main">FAQs</headerlink>
<headerlink class="blue_11" href="logout" target="">Logout</headerlink>
<subheaderlink class="horizontal_navi first" href="https://www.tss.db.com" target="root">Trust &amp; Securities Services</subheaderlink>
<subheaderlink class="horizontal_navi" href="Web?document=home" target="main">Home</subheaderlink>
<search class="white_11">Search by:</search>
<search checked="true" class="blue_11_bold" id="r1">CUSIP</search>
<search class="blue_11_bold" id="r2">ISIN</search>
<search class="blue_11_bold" id="r3">Issuer</search>
<parameters>
<parameter name="document">index</parameter>
<parameter name="release.build.name">4.3.15 2016-05-26   </parameter>
</parameters>
</application>

但是,之后有以下要求。它们来自哪里?没有Location,元或客户端Javascript来重定向?

GET https://tss.sfs.db.com/investauthenticated/servlet/web/Web?document=index&frame=topbar&OWASP_CSRFTOKEN= HTTP/1.1
GET https://tss.sfs.db.com/investauthenticated/servlet/web/Web?document=index&frame=content&OWASP_CSRFTOKEN= HTTP/1.1
GET https://tss.sfs.db.com/investauthenticated/servlet/web/Web?document=index&frame=bottombar&OWASP_CSRFTOKEN= HTTP/1.1

1 个答案:

答案 0 :(得分:2)

XML文档分配了stylesheet

<?xml-stylesheet type='text/xsl' href='/stylesheets/application_internet.xsl'?>

该样式表使Web浏览器将XML转换为HTML,并且该HTML包含三个<frame>标记:

<frameset frameborder="no" framespacing="0">
    <xsl:attribute name="rows">134,*,35</xsl:attribute>
    <!-- always have a topbar -->
    <frame noresize="noresize" name="topbar" marginwidth="0" marginheight="0" scrolling="no">
        <xsl:attribute name="src"><xsl:value-of select="$uri"/>?document=<xsl:value-of select="$document"/>&amp;frame=topbar&amp;OWASP_CSRFTOKEN=<xsl:value-of select="$owasp_csrftoken"/></xsl:attribute>
    </frame>                
    <!-- always have a content row -->
    <frame noresize="noresize" name="content" marginwidth="0" marginheight="0" scrolling="no">
        <xsl:attribute name="src"><xsl:value-of select="$uri"/>?document=<xsl:value-of select="$document"/>&amp;frame=content&amp;OWASP_CSRFTOKEN=<xsl:value-of select="$owasp_csrftoken"/></xsl:attribute>
    </frame>
    <!-- always have a bottombar -->
    <frame noresize="noresize" name="bottombar" marginwidth="0" marginheight="0" scrolling="no">
        <xsl:attribute name="src"><xsl:value-of select="$uri"/>?document=<xsl:value-of select="$document"/>&amp;frame=bottombar&amp;OWASP_CSRFTOKEN=<xsl:value-of select="$owasp_csrftoken"/></xsl:attribute>
    </frame>                
</frameset>

其中:

  • $urihttps://tss.sfs.db.com/investauthenticated/servlet/web/Web

  • $documentindex

  • $owasp_csrftoken为空。

因此产生这个HTML:

<frameset frameborder="no" framespacing="0" rows="134,*,35">
    <!-- always have a topbar -->
    <frame noresize="noresize" name="topbar" marginwidth="0" marginheight="0" scrolling="no" src="https://tss.sfs.db.com/investauthenticated/servlet/web/Web?document=index&frame=topbar&OWASP_CSRFTOKEN="/>
    <!-- always have a content row -->
    <frame noresize="noresize" name="content" marginwidth="0" marginheight="0" scrolling="no" src="https://tss.sfs.db.com/investauthenticated/servlet/web/Web?document=index&frame=content&OWASP_CSRFTOKEN="/>
    <!-- always have a bottombar -->
    <frame noresize="noresize" name="bottombar" marginwidth="0" marginheight="0" scrolling="no" src="https://tss.sfs.db.com/investauthenticated/servlet/web/Web?document=index&frame=bottombar&OWASP_CSRFTOKEN="/>
</frameset>

您看到的是三个网址。