跟踪 link 使用 & 符号且没有前端的点击 javascript
Track a link click with ampersand and without front-end javascript
我在我的 NodeJS 应用程序中向外部网站提供 links。这些需要花费大量精力才能找到,我想跟踪点击次数。我更喜欢避免使用前端 JavaScript,因为我在浏览器中禁用了它。到目前为止,我一直在使用查询参数,例如:
router.get('/redir', async (req, res) => {
let url = req.params.url;
// my own tracking logic
// ...
res.redirect(url);
});
对于已经包含 GET 参数、问号和符号的 link,此代码失败。我试过这个:
router.get('/redir/:url', async (req, res) => {
let url = req.params.url;
res.redirect(url);
});
甚至连路由都没有调用。
如何跟踪已包含 ?
和 &?
的 link 次点击
感谢评论,这是一种方法:
router.get('/redir', async (req, res) => {
let url = req.originalUrl.replace("/redir?url=", "");
// logic: verify that this redirect is authorized to avoid Open Redirect and phishing.
if (authorizedUrls.includes(url)) {
return res.redirect(url);
}
return res.redirect("/404");
});
您应该检查 URL 是否被授权以避免 Open Redirect, a highly dangerous way of phishing listed as Common Weakness Enumeration 601:
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Extended Description
An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
我在我的 NodeJS 应用程序中向外部网站提供 links。这些需要花费大量精力才能找到,我想跟踪点击次数。我更喜欢避免使用前端 JavaScript,因为我在浏览器中禁用了它。到目前为止,我一直在使用查询参数,例如:
router.get('/redir', async (req, res) => {
let url = req.params.url;
// my own tracking logic
// ...
res.redirect(url);
});
对于已经包含 GET 参数、问号和符号的 link,此代码失败。我试过这个:
router.get('/redir/:url', async (req, res) => {
let url = req.params.url;
res.redirect(url);
});
甚至连路由都没有调用。
如何跟踪已包含 ?
和 &?
感谢评论,这是一种方法:
router.get('/redir', async (req, res) => {
let url = req.originalUrl.replace("/redir?url=", "");
// logic: verify that this redirect is authorized to avoid Open Redirect and phishing.
if (authorizedUrls.includes(url)) {
return res.redirect(url);
}
return res.redirect("/404");
});
您应该检查 URL 是否被授权以避免 Open Redirect, a highly dangerous way of phishing listed as Common Weakness Enumeration 601:
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. Extended Description An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.