小贝子编程

Url查询字符串值在电子邮件中发送后损坏



我们通过查询字符串向用户发送包含url的电子邮件,其中包含以base64编码的限时访问令牌。在少数情况下,我们看到用户使用与预期不同的URL调用我们的站点。具体来说,查询字符串参数的值已被更改。

下面是一个URL的例子(令牌现在已经过期):

https://example.com?access_token=flWucTdvBvWFHmV4AvVfVaE8dDV9VxcKIDW2.flWjbJDvBvWvMwCxLGB5MF35BJMzYGFkMJVgBGt6ZD35ZmMxLGdkAEZkLGFvYDWyfUBvBwF5ZGZ8BGHlZEZfVzyueDV9ZGLkZwd7AGLjZa3.4WjeBK_dZdtCWk9DeTvDCFhyF6Wkf5BAKdVc1caihkF3xy84M2_EfYEvHMxmyYbgFFjh_K8c42wZJZmWBh84E_ee5TxWyaA_Gbg1TuIuetii4kAa6dfYwTthkFDwbD8W6hV1TAjTGfkDZ35CE-E-HIyGeEj2EJwvtKFzUbLcxcWCZhh-9ilffcfaEeKMFF4Me7ebatcfAkxkeFy7yAvi8etAeMD69BAuxMlb0T2TCfDtUKTazCaFd0t32XwAe61jFuMFaC6dvJ9ELGKLch8YJ8IYIc3AJeC4v4WEHe8wWMVMgmaLKAfvCX--mKBYaxh-ebwKLjdwY3Ke_c1yA2IuBYb8vF9_XFvDvIUFgBM8zeCCH952UvZ6V-BlBev9aK30iLblCXw4F7J0a-_c3YFbFlkfI7eFT4A2bg4DkHuiEEE21DMd5aejueXMdAgX0ehdBMZcj66DTcUD7CJje5cBvZzMxFC8EedE2e66ktFe8Exl8b1d_VYCiEfadBbycheLb5zvk-EzF1CWMbeEAAekAcLBWCEFVAjT6HX3IEZB_YetX80zEKa7VUMvTeFdeXzBE0L-vBDeVb1cEFh2aahccEjIcuAlGLAdagEDGbdt9cgbJ2C6HI92iM9ewB2t4xbbeeZFFVBGUfcKDy7aDyi03_Dw9jLLAFCyDCFj127_U4Z&expires_at=4946228536333

这个例子非常接近于有效:protocol, host和path没有被修改,查询字符串参数名称是正确的,参数值的长度和类型也接近于预期。expiry_at的值应该接近于1613995200000。如果你把所有的数字单独移动3,你会得到一个可能是原始值的值。

邮件通过SendGrid服务使用Nodemailer SMTP传输发送。url放在一起使用URLSearchParams从Node.js。我不愿意相信我们的系统发送了无效的url,因为超过99%的用户没有遇到这个问题。但是我没有足够详细的日志来确定。

我无法访问我的用户的网络或邮件过滤器的详细信息,但我看到同一公司的用户有或没有这个问题。为了防止这可能是由于某种编码头不匹配引起的,我从我们的一封电子邮件中包含了一个完整的原始头和内容示例:

Delivered-To: recipient@qvest.io
Received: by 2002:ac0:b64a:0:0:0:0:0 with SMTP id n10csp3067913ime;
Mon, 8 Feb 2021 06:00:04 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzmj9vRTtmN1IvVePlQBoEcReWgLQ0PonOzbLDHRnRc8DxWpGSKidkZ3OZPE6pAMBVTnEbu
X-Received: by 2002:a05:6e02:1b84:: with SMTP id h4mr15215295ili.196.1612792804205;
Mon, 08 Feb 2021 06:00:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1612792804; cv=none;
d=google.com; s=arc-20160816;
b=o6BmAjDW2hu85OH++kbsbsOI77j4muGr6xny8LN4LS0QawzIgSCMrEMMFjWyZKiXwg
pJNiyxIKBEP4hfWRBB4aDGNjAi6LROvCYX9mTZG8f5Yx5kd9U8gh5dhDLWQPTxh8Ix1h
CW7Aan0v7E3TzHDTDV/HmmOqY6cbx+d8QZujuswankoPdqSIOkGPp7FlaO617C82z5Ce
HIlTmKPXFngSkVW98UxtnGtvAjWuwpcMqOkIOHLJspfW183lDHBfg6ZOqQrWIfdGvet3
Wr9kgvABU88bjqa41/LonF28jm88n4nI/5QYJVQGmQV7ELNVbWFZGaeO1m+J+ellFZ9h
FHwA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=list-unsubscribe:to:reply-to:mime-version:date
:content-transfer-encoding:message-id:subject:from:dkim-signature;
bh=QQMlgBEIEaxfQJ5P0N6Esf+zceZ2+qccFfw1P3Vcra0=;
b=IOj2OtO9nFaNkW8JelpoEe9NHJEBIZnKn2HOqEbE9D95YwH0VqPzQn0dScsZJs6YCf
aj8gbOzAj2m68GSBMtPN+9YbauZR+1Ygo+qxSGzjtngk71e+oGcfNJuoxQNS3qWJ4I8y
O44MEFNZx/yIRsl8Sj1PMwkOgyi1NLLJGoRSLv2TGgDxfJXsqj/5IiDlhBESy0ONDuL1
ZWz0Revg4BpcJ3dI0eqf0ljtiUQSAyn1fFi/+JHUBM5/oXqmW0LL1QRHxZte7d11NW8t
Rs2K0RpuFMdZFzf/vhE5qvCxtGJokqQoOwWH7zfyPka+2CMaH3VV/DpMRL/txrp89yH2
qy+g==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@qvest.io header.s=s1 header.b=LnUXPA7s;
spf=pass (google.com: domain of bounces+6645413-7961-recipient=qvest.io@em9402.qvest.io designates 168.245.121.57 as permitted sender) smtp.mailfrom="bounces+6645413-7961-recipient=qvest.io@em9402.qvest.io";
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qvest.io
Return-Path: <bounces+6645413-7961-recipient=qvest.io@em9402.qvest.io>
Received: from o1.notify.qvest.io (o1.notify.qvest.io. [168.245.121.57])
by mx.google.com with ESMTPS id o9si15771544ilu.103.2021.02.08.06.00.03
for <recipient@qvest.io>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Mon, 08 Feb 2021 06:00:04 -0800 (PST)
Received-SPF: pass (google.com: domain of bounces+6645413-7961-recipient=qvest.io@em9402.qvest.io designates 168.245.121.57 as permitted sender) client-ip=168.245.121.57;
Authentication-Results: mx.google.com;
dkim=pass header.i=@qvest.io header.s=s1 header.b=LnUXPA7s;
spf=pass (google.com: domain of bounces+6645413-7961-recipient=qvest.io@em9402.qvest.io designates 168.245.121.57 as permitted sender) smtp.mailfrom="bounces+6645413-7961-recipient=qvest.io@em9402.qvest.io";
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qvest.io
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qvest.io; h=content-type:from:subject:content-transfer-encoding:mime-version: reply-to:to:list-unsubscribe; s=s1; bh=QQMlgBEIEaxfQJ5P0N6Esf+zceZ2+qccFfw1P3Vcra0=; b=LnUXPA7swjX2NjzJ2TvETSJY5VT80AbEjWSwNcMYGw4MkfSYzVcaRAFwpmyp1G2scMg0 /OFqLVBN86MCPcybH+vVREbdOGcPEMIxaS5nAHMMwDCsXJE8IUe4+CiKwHXM9zMd676d+D ymYO442JwLoOBz22iAFyRjX56z8Sw4HiA=
Received: by filterdrecv-p3mdw1-689c95dc44-9222s with SMTP id filterdrecv-p3mdw1-689c95dc44-9222s-20-602143E2-164
2021-02-08 14:00:02.769325447 +0000 UTC m=+418785.634806042
Received: from [127.0.0.1] (unknown) by ismtpd0004p1lon1.sendgrid.net (SG) with ESMTP id wSs4J7aLQt-9UHbZ3GKoTg for <recipient@qvest.io>; Mon, 08 Feb 2021 14:00:02.608 +0000 (UTC)
Content-Type: text/html; charset=iso-8859-1
From: "Qvest" <noreply@qvest.io>
Subject: Subject
Content-Transfer-Encoding: quoted-printable
Date: Mon, 08 Feb 2021 14:00:02 +0000 (UTC)
MIME-Version: 1.0
Reply-To: "Qvest Support" <support@qvest.io>
To: Recipient <recipient@qvest.io>

<!DOCTYPE html>
<html xmlns=3D"http://www.w3.org/1999/xhtml">
<head>
<meta charset=3D"UTF-8">
<meta http-equiv=3D"x-ua-compatible" content=3D"ie=3Dedge">
<title>Title</title>
<meta name=3D"viewport" content=3D"width=3Ddevice-width, initial-scale=
=3D1">
</head>
<body>
<a href=
=3D"https://example.com?access_token&#x3D;eyJhbGciOiJSUz=
I1NiIsInR5cCI6IkpXVCJ9.eyJwaWQiOiI5ZDE0MTc5Ni02YTEyLTExZWItOWY4YS01N2IyN2U2=
NTczMGIiLCJleHAiOjE2MTQwMDI0MDMsImlhdCI6MTYxMjc5MjgwMn0.t7km4fdjgRHvggNcPFi=
mZZzwFsvhvBaUlD2q0MEvKRtEOSDcs6oZ_vt2A9A0qNKk_hhLCFhZbaXaRjexsr4b8-XCEiRrPE=
atLSq0EcE9P3W2kqyut4_8_2Apvm03fiR6gQkfQXwosfHVPT3aULtQ_xUyRNydG10ChTM-hfYtD=
yvavPivP9gpN82pSzMk4DBR_HztHEFDGbbgDnzQ6d_j4kj8bcQXGdWTlw_eefA7H9i7WqvD_6pK=
LsaEjODCt7Ys4UIRBKvhulFfatdQXTOnXvMoIUIjavHHbDrTaZKr53P5DHRsZXPhDGMXjxYfbhk=
GmoFALLGgwxmwNpkVMJaDLH1EyQ_avo9TXjtEcoPVXd3vWddoYEpX5QcOrK1O1NYCS8A_KQiRcZ=
ZMAujzRs65SJ--NQUPKr1_jwfcRgcUwB-10nJjet1G0U2uajDktlc5uqE9aqW7Mnhxn9pJ8WqUE=
eIrnViqCYfAAyAZRMqneJi9WOmaYm4DohkZHQ0er6Z4gsRDIV8Dwy4vFCwbrNvw2PWuVTh7R9U8=
Nu784UOFyzDUw2HRDEJVqXYp-4VgmSlF5GG8h9TFVTrSycA7hr2K46RXidGIHLbeHp6twiN7_pO=
7uRqAzrGBcaXb4Xf0HEp1TpHOFK3AJyMHdda_lGB_X_Ht2LBWT4mPaN7OJBi1-xg&amp;expire=
s_at&#x3D;1614002403000">this link</a>
</html>

TL;DR:是在他们的帐户或域上启用了Microsoft高级威胁防护的用户。

我有一个base64编码的JSON字符串以同样的方式被损坏的完全相同的问题,看看我的调查在这里,我已经收集了一些与你相关的更多信息。

我已经给微软的NOC/Abuse联系人发了两封邮件,但还没有回复。

关于其他答案:

  • 坏的电子邮件客户端和/或坏的头编码解释是非常不可能的,因为这些请求是来自微软专有的IP地址。我已经整理并验证了(我有6,924个子网和11043个访问IP地址的列表。

此外,根据我的分析跟踪,这些会话在访问后没有任何与之相关的人类活动。例如,我有一个错误页面,邀请他们给我发送支持信息,没有人(在11000多个请求中),但是在其他问题上,我确实从用户那里得到支持请求。

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium