我正在编写一个脚本来模拟浏览器。正如浏览器登录到 Web 应用程序/网站、获取 cookie 并使用该 cookie 进行进一步请求一样,我也使用脚本执行相同的操作。我能够登录、获取 cookie,并且进一步的请求被拒绝,并出现 403“对象的权限被拒绝”。我尝试像浏览器一样复制确切的请求标头,但仍然遇到相同的错误。服务器上是否有任何东西可以检测到请求来自脚本而不是浏览器?有什么解决办法吗?
认证成功后服务器的响应:
HTTP/1.1 200 OK
Server: XXXXX
Date: Wed, 06 Mar 2024 15:55:45 GMT
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'
Cache-Control: no-store
Strict-Transport-Security: max-age=2592000
Set-Cookie: session=00000007-P4liEibOE; path=/; SameSite=Strict; HttpOnly
Content-Type: text/plain
Content-length: 20
下一个请求正文:
curl -X POST https://10.x.x.x/form-submit/Settings/Change \
-H "Accept: */*" \
-H "Accept-Encoding: gzip, deflate, br, zstd" \
-H "Accept-Language: en-US,en;q=0.9" \
-H "Connection: keep-alive" \
-H "Content-Length: 32" \
-H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \
-H "Cookie: session=00000007-P4liEibOE" \
-H "Host: 10.x.x.x" \
-H "Origin: https://10.x.x.x" \
-H "Referer: https://10.x.x.x/index.htm" \
-H "Sec-Fetch-Dest: empty" \
-H "Sec-Fetch-Mode: cors" \
-H "Sec-Fetch-Site: same-origin" \
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" \
-H "X-Requested-With: XMLHttpRequest" \
-H "sec-ch-ua: \"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Google Chrome\";v=\"122\"" \
-H "sec-ch-ua-mobile: ?0" \
-H "sec-ch-ua-platform: \"macOS\"" \
您可以通过这种方式包含cookie:
curl --cookie '<cookie-value>' ...
参考此链接:https://curl.se/docs/http-cookies.html 部分:使用curl命令行工具进行Cookie
此外,为了更方便阅读,标题内容可以使用单引号
'"'sec-ch-ua-platform: "macOS"'"sec-ch-ua-platform: \"macOS\""