发表新帖
发表新帖

Finding All Insecure Content on a Secure Page

前端 未结
关注
11 938
旧时难觅i
旧时难觅i 2021-01-31 01:16

What\'s the most efficient way to find a list of all non-HTTPS URLs requested by an HTTPS page? If this kind of security violation happens, every browser alerts the user, but I

相关标签:
11条回答
  • 傲寒
    2021-01-31 01:46

    Note, in recent versions of Chrome, these errors will be displayed in the Javascript Console.

    e.g.

    The page at https://mysecuresite.com displayed insecure content from http://unsecuresite.com/some.jpg.
    0 讨论(0)
  • 被撕碎了的回忆
    2021-01-31 01:46

    I just want to leave a note about what happened to me when this problem arose.

    Suddenly my domain showed 'Mixed: Insecure Items'. I couldn't find the cause at all. The console was just showing an image was being requested: http://www.example.com/, Which I could not find any reference to anywhere.

    I searched and searched and eventually found that in the Security Tab of Chrome, Where it was displaying 'Insecure Content' it said 'Show in Network Tab'. When I clicked that, It was showing me the bad URL, again, with no information apart from the Initiatior column. It was showing the image footer_bg.jpg.

    Had someone injected code into my footer background image I wondered? Turns out no, I had inadvertently moved that image yesterday and forgot about it. So the page was requesting an image that wasn't there, returning an error. I fixed the link to the image and page loads securely again.

    Just for anyone else that will possibly have this problem in the future.

    0 讨论(0)
  • 礼貌的吻别
    2021-01-31 01:51

    Recently had the same issue, using chrome developer tool it was easier to find.. In developer tool go to Security tab, you can find all non-https request

    0 讨论(0)
  • 后悔当初
    2021-01-31 01:51

    If you own the website, you should look into the Content-Security-Policy header options. These can include forcing HTTPS on resources, or automatically attempting to redirect HTTP resources to HTTPS, among other things.

    Notably, there is also a report-uri directive for the closely-related Content-Security-Policy-Report-Only header that reports any infractions of your CSP to a uri of your choosing. This means that any browser with support1 for report-uri will send you reports of pages on your site with problematic HTTPS on an ongoing basis. Mozilla Developer Network has a PHP example of handling the reports.

    1 Note that if you can reasonably expect any browser with full CSP(RO) support to hit the pages in question, it doesn't matter that some browsers do not have support for it.

    0 讨论(0)
  • 渐次进展
    2021-01-31 01:54

    You can check https://www.missingpadlock.com/

    Is a online tool for crawl your site for find insecure pages.

    0 讨论(0)
  • 孤独总比滥情好
    2021-01-31 01:54

    Use Burp Suite, set up the scope as your website, browse to the secure page and check which request are made to HTTP version of your website.

    0 讨论(0)
 看不清?
提交回复
热议问题