| \u9884\u68c0\u8bf7\u6c42\u7684\u7f13\u5b58\u65f6\u95f4,\u5355\u4f4d\u79d2(\u51cf\u5c11\u91cd\u590d\u9884\u68c0)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \u793a\u4f8b\u54cd\u5e94\u5934(\u914d\u7f6e\u793a\u4f8b):<\/p>\n Access-Control-Allow-Origin: https:\/\/a.com
\nAccess-Control-Allow-Credentials: true
\nAccess-Control-Allow-Methods: GET, POST, PUT
\nAccess-Control-Allow-Headers: Content-Type, Authorization
\nAccess-Control-Max-Age: 3600<\/p>\n 4.\u00a0CORS \u5b89\u5168\u98ce\u9669\u4e0e\u653b\u51fb\u5229\u7528<\/h4>\n\u867d\u7136 CORS \u662f\u4e3a\u4e86\u5b89\u5168\u800c\u8bbe\u8ba1\u7684,\u4f46\u914d\u7f6e\u4e0d\u5f53\u53cd\u800c\u4f1a\u6210\u4e3a\u6f0f\u6d1e\u5165\u53e3,\u653b\u51fb\u8005\u53ef\u4ee5\u501f\u6b64\u53d1\u8d77\u653b\u51fb:<\/p>\n 1)Access-Control-Allow-Origin: *<\/p>\n \u5982\u679c\u670d\u52a1\u7aef\u8bbe\u7f6e\u4e86:<\/p>\n Access-Control-Allow-Origin: *<\/p>\n \u4e14\u63a5\u53e3\u8fd8\u8fd4\u56de\u4e86\u654f\u611f\u4fe1\u606f\u6216\u7528\u6237\u9690\u79c1\u6570\u636e(\u5982\u767b\u5f55\u6001\u3001\u8ba2\u5355\u3001\u94f6\u884c\u5361),\u5c31\u5141\u8bb8\u4efb\u610f\u7f51\u7ad9\u8de8\u57df\u8bfb\u53d6\u7528\u6237\u6570\u636e,\u8fd9\u662f\u4e25\u91cd\u6f0f\u6d1e!<\/p>\n \u5c24\u5176\u5371\u9669\u5f53\u8fd8\u8bbe\u7f6e\u4e86 Access-Control-Allow-Credentials: true!<\/p>\n 2)\u53cd\u5c04\u578b Origin \u6821\u9a8c\u7ed5\u8fc7<\/p>\n \u6709\u4e9b\u670d\u52a1\u7aef\u5199\u6cd5\u662f:<\/p>\n res.setHeader("Access-Control-Allow-Origin", req.headers.origin);<\/p>\n \u8fd9\u4f1a\u5bfc\u81f4\u4efb\u610f Origin \u90fd\u80fd\u88ab\u670d\u52a1\u7aef\u53cd\u5c04,\u5982\u679c\u6ca1\u6709\u505a\u767d\u540d\u5355\u6821\u9a8c,\u975e\u5e38\u5371\u9669!<\/p>\n 3)\u670d\u52a1\u7aef\u914d\u7f6e\u9519\u8bef\u5bfc\u81f4\u653b\u51fb\u8005\u7f51\u7ad9\u53ef\u4ee5\u53d1\u8bf7\u6c42\u8bfb\u53d6\u6570\u636e<\/p>\n \u653b\u51fb\u8005\u53ea\u9700\u4f2a\u9020\u9875\u9762,\u5728 victim \u7528\u6237\u6253\u5f00\u540e\u5373\u53ef\u8bfb\u53d6\u5176\u5728\u771f\u5b9e\u7f51\u7ad9\u4e2d\u7684\u6570\u636e:<\/p>\n fetch("https:\/\/bank.com\/api\/user", {
\n credentials: 'include'
\n})
\n.then(res => res.json())
\n.then(data => {
\n \/\/ \u653b\u51fb\u8005\u8bfb\u53d6\u7528\u6237\u6570\u636e
\n sendToMe(data);
\n});<\/p>\n 5.\u00a0\u6e17\u900f\u6d4b\u8bd5\u4e2d\u5982\u4f55\u68c0\u6d4b CORS \u95ee\u9898?<\/h4>\n\u5e38\u7528\u65b9\u6cd5:<\/p>\n \n- \n
\u7528 Burp Suite \u4fee\u6539 Origin \u5934,\u6d4b\u8bd5\u662f\u5426\u88ab\u5141\u8bb8<\/p>\n<\/li>\n - \n
\u4fee\u6539 Access-Control-Allow-Credentials \u4e3a true,\u89c2\u5bdf\u54cd\u5e94\u5934\u662f\u5426\u653e\u5f00<\/p>\n<\/li>\n - \n
\u7528 curl \u6216 Postman \u6784\u9020 OPTIONS \u8bf7\u6c42,\u67e5\u770b\u670d\u52a1\u5668\u662f\u5426\u54cd\u5e94\u9884\u68c0<\/p>\n<\/li>\n<\/ul>\n 6.\u00a0\u5b89\u5168\u914d\u7f6e\u5efa\u8bae<\/h4>\n\n\u9879\u76ee\u5efa\u8bae\u914d\u7f6e<\/tr>\n \n\n| Access-Control-Allow-Origin<\/td>\n | \u53ea\u5141\u8bb8\u660e\u786e\u7684\u767d\u540d\u5355\u57df\u540d<\/td>\n<\/tr>\n | \n| Access-Control-Allow-Credentials<\/td>\n | \u4ec5\u5728\u786e\u5b9e\u9700\u8981\u65f6\u8bbe\u7f6e\u4e3a true,\u5e76\u4e0d\u80fd\u4e0e * \u540c\u65f6\u4f7f\u7528<\/td>\n<\/tr>\n | \n| Access-Control-Allow-Headers<\/td>\n | \u63a7\u5236\u5141\u8bb8\u7684\u81ea\u5b9a\u4e49\u5934,\u907f\u514d\u8fc7\u5bbd<\/td>\n<\/tr>\n | \n| \u68c0\u67e5 Origin \u767d\u540d\u5355<\/td>\n | \u4e0d\u8981\u7b80\u5355\u53cd\u5c04\u8bf7\u6c42\u5934,\u8981\u4e25\u683c\u6821\u9a8c\u5408\u6cd5\u57df\u540d<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n7.\u00a0\u5e38\u7528\u8c03\u8bd5\u5de5\u5177<\/h4>\n\n\u5de5\u5177\u7528\u9014<\/tr>\n \n\n| Chrome DevTools – Network<\/td>\n | \u67e5\u770b\u8bf7\u6c42\u662f\u5426\u88ab CORS \u62e6\u622a<\/td>\n<\/tr>\n | \n| curl<\/td>\n | \u6784\u9020\u8de8\u57df\u548c\u9884\u68c0\u8bf7\u6c42<\/td>\n<\/tr>\n | \n| Postman<\/td>\n | \u6a21\u62df\u8bf7\u6c42(\u6ce8\u610f Postman \u4e0d\u53d7 SOP \u9650\u5236)<\/td>\n<\/tr>\n | \n| Burp Suite<\/td>\n | \u52ab\u6301 Origin \u5934,\u6d4b\u8bd5\u670d\u52a1\u7aef\u914d\u7f6e<\/td>\n<\/tr>\n | \n| CORS Everywhere \u63d2\u4ef6<\/td>\n | \u6d4b\u8bd5\u8de8\u57df\u8c03\u8bd5(\u4ec5\u5f00\u53d1\u7528)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\n\u516b\u3001URL \u7f16\u7801<\/h3>\nURL \u7f16\u7801,\u53c8\u53eb \u767e\u5206\u53f7\u7f16\u7801(Percent Encoding),\u662f\u4e3a\u4e86\u5c06 URL \u4e2d\u4e0d\u5141\u8bb8\u51fa\u73b0\u7684\u7279\u6b8a\u5b57\u7b26 \u8f6c\u6362\u4e3a\u5408\u6cd5\u683c\u5f0f,\u4fbf\u4e8e\u5b89\u5168\u4f20\u8f93\u3002<\/p>\n URL \u53ea\u80fd\u4f7f\u7528 ASCII \u5b57\u7b26\u96c6,\u4e0d\u80fd\u76f4\u63a5\u5305\u542b:<\/p>\n \n- \n
\u7a7a\u683c( )<\/p>\n<\/li>\n - \n
\u4e2d\u6587(\u5982 \u4f60\u597d)<\/p>\n<\/li>\n - \n
\u7279\u6b8a\u7b26\u53f7(\u5982 #\u3001&\u3001?\u3001=, \/ \u7b49)<\/p>\n<\/li>\n<\/ul>\n \u6240\u4ee5\u9700\u8981\u5c06\u8fd9\u4e9b\u5b57\u7b26\u8fdb\u884c\u7f16\u7801,\u624d\u80fd\u6b63\u786e\u4f20\u9012\u7ed9\u670d\u52a1\u5668\u3002<\/p>\n 1.\u00a0URL \u7f16\u7801\u7684\u539f\u7406<\/h4>\n\u683c\u5f0f\u4e3a:<\/p>\n % + \u4e24\u4f4d\u5341\u516d\u8fdb\u5236\u8868\u793a\u7684 ASCII \u7801<\/p>\n \u793a\u4f8b:<\/p>\n \n\u5b57\u7b26ASCIIURL \u7f16\u7801<\/tr>\n \n\n| \u7a7a\u683c<\/td>\n | 0x20<\/td>\n | %20(\u6216 +)<\/td>\n<\/tr>\n | \n| +<\/td>\n | 0x2B<\/td>\n | %2B<\/td>\n<\/tr>\n | \n| \/<\/td>\n | 0x2F<\/td>\n | %2F<\/td>\n<\/tr>\n | \n| ?<\/td>\n | 0x3F<\/td>\n | %3F<\/td>\n<\/tr>\n | \n| =<\/td>\n | 0x3D<\/td>\n | %3D<\/td>\n<\/tr>\n | \n| &<\/td>\n | 0x26<\/td>\n | %26<\/td>\n<\/tr>\n | \n| #<\/td>\n | 0x23<\/td>\n | %23<\/td>\n<\/tr>\n | \n| \u4e2d\u6587 \u201c\u4f60\u201d<\/td>\n | U+4F60<\/td>\n | %E4%BD%A0(UTF-8 \u7f16\u7801\u540e\u518d\u8f6c\u4e3a\u5341\u516d\u8fdb\u5236)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n2. \u54ea\u4e9b\u5b57\u7b26\u9700\u8981\u88ab\u7f16\u7801?<\/h4>\n\n\u7c7b\u578b\u662f\u5426\u9700\u8981\u7f16\u7801<\/tr>\n \n\n| \u82f1\u6587\u5b57\u6bcd A\u2013Z\u3001a\u2013z<\/td>\n | \u00a0\u4e0d\u9700\u8981<\/td>\n<\/tr>\n | \n| \u6570\u5b57 0\u20139<\/td>\n | \u00a0\u4e0d\u9700\u8981<\/td>\n<\/tr>\n | \n| \u5b89\u5168\u5b57\u7b26 – _ . ~<\/td>\n | \u00a0\u4e0d\u9700\u8981<\/td>\n<\/tr>\n | \n| \u7a7a\u683c<\/td>\n | \u00a0\u9700\u7f16\u7801\u4e3a %20 \u6216 +(\u5728 application\/x-www-form-urlencoded \u4e2d)<\/td>\n<\/tr>\n | \n| \u5176\u5b83\u5b57\u7b26\u5982 : \/ ? # & = %<\/td>\n | \u00a0\u5fc5\u987b\u7f16\u7801<\/td>\n<\/tr>\n | \n| \u975e ASCII \u5b57\u7b26(\u5982\u4e2d\u6587)<\/td>\n | \u00a0\u5fc5\u987b\u7f16\u7801<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n3.\u00a0URL \u7f16\u7801\u7684\u4f7f\u7528\u4f4d\u7f6e<\/h4>\n1)\u6d4f\u89c8\u5668\u5730\u5740\u680f\u4e2d\u7684\u53c2\u6570:<\/p>\n GET \/search?q=%E5%BC%A0%E4%B8%89 HTTP\/1.1<\/p>\n 2)\u8868\u5355\u63d0\u4ea4\u65f6:<\/p>\n \u8868\u5355 Content-Type: application\/x-www-form-urlencoded \u65f6,\u8868\u5355\u5b57\u6bb5\u4f1a\u88ab URL \u7f16\u7801<\/p>\n 3)AJAX\u3001Fetch \u8bf7\u6c42\u4e2d\u53c2\u6570\u62fc\u63a5<\/p>\n 4)\u7f16\u7801\u654f\u611f\u5b57\u7b26\u4ee5\u9632\u6b62\u53c2\u6570\u6c61\u67d3\u3001\u89e3\u6790\u9519\u8bef<\/p>\n 4.\u00a0Web \u5b89\u5168\u4e2d\u7684 URL \u7f16\u7801(\u7ed5\u8fc7\u6280\u5de7)<\/h4>\n1)\u53c2\u6570\u6df7\u6dc6\u7ed5\u8fc7\u9632\u706b\u5899(WAF):<\/p>\n \u5047\u5982 WAF \u62e6\u622a ..\/..\/etc\/passwd,\u4f60\u53ef\u80fd\u8bd5\u8bd5:<\/p>\n \n- \n
%2e%2e%2f%2e%2e%2fetc%2fpasswd<\/p>\n<\/li>\n - \n
%252e%252e%252f(\u53cc\u91cd\u7f16\u7801\u7ed5\u8fc7)<\/p>\n<\/li>\n - \n
%c0%ae%c0%ae%c0%af<\/p>\n<\/li>\n<\/ul>\n 2)XSS \u5229\u7528\u4e2d:<\/p>\n <script>alert(1)<\/script><\/p>\n \u7f16\u7801\u540e\u53d8\u4e3a:<\/p>\n %3Cscript%3Ealert(1)%3C%2Fscript%3E<\/p>\n WAF \u53ef\u80fd\u6ca1\u80fd\u8bc6\u522b\u6240\u6709\u7f16\u7801\u5f62\u5f0f,\u4ece\u800c\u5b9e\u73b0\u7ed5\u8fc7\u3002<\/p>\n 3)SQL \u6ce8\u5165\u6df7\u6dc6:<\/p>\n ?id=1%20OR%201=1<\/p>\n \u7f16\u7801\u4e86\u7a7a\u683c,\u9632\u6b62\u88ab\u62e6\u622a\u3002<\/p>\n 5.\u00a0\u7f16\u7801\/\u89e3\u7801\u5de5\u5177<\/h4>\n1)Python \u4ee3\u7801\u6f14\u793a:<\/p>\n from urllib.parse import quote, unquote<\/p>\n # \u7f16\u7801\u4e2d\u6587
\ns = "\u4f60\u597d world!"
\nencoded = quote(s) # %E4%BD%A0%E5%A5%BD%20world%21
\nprint(encoded)<\/p>\n # \u89e3\u7801
\nprint(unquote(encoded)) # \u4f60\u597d world!<\/p>\n 2)Burp Suite \u89e3\u7801\u5de5\u5177:<\/p>\n \u5728 Repeater\/Decoder \u6807\u7b7e\u9875\u53ef\u4ee5\u5feb\u901f Base64\u3001URL\u3001HTML\u3001Unicode \u7f16\u89e3\u7801<\/p>\n 3)Chrome \u63a7\u5236\u53f0:<\/p>\n encodeURIComponent("\u4f60\u597d&=123")
\n\/\/ \u8f93\u51fa:"%E4%BD%A0%E5%A5%BD%26%3D123"<\/p>\n 6.\u00a0\u5e38\u89c1\u7f16\u7801\u9677\u9631\u4e0e\u9519\u8bef<\/h4>\n\n\u95ee\u9898\u8bf4\u660e<\/tr>\n \n\n| \u91cd\u590d\u7f16\u7801<\/td>\n | \u5982 %252e \u662f %2e \u7684\u518d\u7f16\u7801(\u53cc\u91cd\u7f16\u7801),\u670d\u52a1\u5668\u53ef\u80fd\u89e3\u7801\u4e24\u6b21<\/td>\n<\/tr>\n | \n| \u7f16\u7801\u4f4d\u7f6e\u9519\u8bef<\/td>\n | \u7f16\u7801\u503c\u9519\u653e\u5728 URL path \u6216 query \u4e2d,\u53ef\u80fd\u5bfc\u81f4\u8def\u5f84\u89e3\u6790\u9519\u8bef<\/td>\n<\/tr>\n | \n| \u7f16\u7801\u4e0d\u4e00\u81f4<\/td>\n | \u524d\u7aef\u7528 encodeURIComponent,\u540e\u7aef\u6ca1\u5bf9\u5e94\u89e3\u7801,\u4f1a\u5bfc\u81f4\u53c2\u6570\u4e22\u5931<\/td>\n<\/tr>\n | \n| \u7f16\u7801\u7ed5\u8fc7\u9632\u5fa1<\/td>\n | \u9632\u5fa1\u673a\u5236\u53ea\u68c0\u67e5\u539f\u59cb\u5b57\u7b26\u4e32,\u672a\u89e3\u7801\u5904\u7406,\u6613\u88ab\u7ed5\u8fc7<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n7.\u00a0\u4e0e\u5176\u4ed6\u7f16\u7801\u65b9\u5f0f\u5bf9\u6bd4<\/h4>\n\n\u7f16\u7801\u65b9\u5f0f\u7528\u9014\u662f\u5426\u5b89\u5168<\/tr>\n \n\n| URL \u7f16\u7801<\/td>\n | \u6d4f\u89c8\u5668\u4f20\u53c2\u3001Form \u8868\u5355<\/td>\n | \u00a0\u662f\u00a0 \u00a0 \u00a0 \u9632\u6b62\u683c\u5f0f\u9519\u4e71,\u4f46\u975e\u52a0\u5bc6<\/td>\n<\/tr>\n | \n| Base64 \u7f16\u7801<\/td>\n | \u6570\u636e\u4f20\u8f93(\u5982\u56fe\u7247\u3001JWT)<\/td>\n | \u00a0\u5426\u00a0 \u00a0 \u00a0 \u4ec5\u7f16\u7801,\u975e\u52a0\u5bc6<\/td>\n<\/tr>\n | \n| HTML \u5b9e\u4f53\u7f16\u7801<\/td>\n | \u9632\u6b62 XSS \u6ce8\u5165<\/td>\n | \u00a0\u662f\u00a0 \u00a0 \u00a0 \u5982 < \u7f16\u7801\u4e3a <<\/td>\n<\/tr>\n | \n| JavaScript \u8f6c\u4e49<\/td>\n | \u9632\u6b62 XSS,\u7ed5\u8fc7 JS \u89e3\u6790<\/td>\n | \u00a0\u662f\u00a0 \\\\x3C \u662f <<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\u603b\u7ed3<\/h4>\n\n\u9879\u76ee\u8bf4\u660e<\/tr>\n \n\n| \u7f16\u7801\u89c4\u5219<\/td>\n | % + \u4e24\u4f4d\u5341\u516d\u8fdb\u5236 ASCII<\/td>\n<\/tr>\n | \n| \u7a7a\u683c<\/td>\n | %20 \u6216 +(\u8868\u5355)<\/td>\n<\/tr>\n | \n| \u4e2d\u6587<\/td>\n | UTF-8 \u2192 hex \u2192 %XX \u683c\u5f0f<\/td>\n<\/tr>\n | \n| \u5b89\u5168\u7528\u9014<\/td>\n | \u9632\u6b62\u53c2\u6570\u9519\u4e71\u3001WAF \u7ed5\u8fc7\u3001XSS \u6df7\u6dc6<\/td>\n<\/tr>\n | \n| \u5b89\u5168\u98ce\u9669<\/td>\n | \u53cc\u91cd\u7f16\u7801\u7ed5\u8fc7\u3001\u89e3\u7801\u4e0d\u4e00\u81f4\u95ee\u9898<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\n\u4e5d\u3001Base64 \u7f16\u7801<\/h3>\nBase64 \u662f\u4e00\u79cd\u5c06 \u4efb\u610f\u4e8c\u8fdb\u5236\u6570\u636e \u7f16\u7801\u6210 \u53ef\u6253\u5370 ASCII \u5b57\u7b26 \u7684\u65b9\u5f0f,\u5e38\u7528\u4e8e:<\/p>\n \n- \n
\u6570\u636e\u4f20\u8f93(\u5982 JSON\u3001\u8868\u5355\u3001URL \u4e2d)<\/p>\n<\/li>\n - \n
\u6570\u636e\u5b58\u50a8(\u5982\u56fe\u7247\u3001\u8bc1\u4e66)<\/p>\n<\/li>\n - \n
\u907f\u514d\u5b57\u7b26\u5728\u4f20\u8f93\u4e2d\u51fa\u9519\u6216\u88ab\u89e3\u6790<\/p>\n<\/li>\n<\/ul>\n \u91cd\u70b9:Base64 \u4e0d\u662f\u52a0\u5bc6,\u4e5f\u4e0d\u662f\u538b\u7f29,\u4ec5\u662f\u7f16\u7801!<\/p>\n 1.\u00a0Base64 \u7f16\u7801\u539f\u7406\u8be6\u89e3<\/h4>\n\u539f\u7406\u6982\u62ec:<\/p>\n \u5c06\u539f\u59cb\u6570\u636e\u6bcf 3 \u5b57\u8282(3 x 8 = 24 bit) \u4e00\u7ec4,\u62c6\u5206\u4e3a 4 \u4e2a 6 \u4f4d\u4e8c\u8fdb\u5236\u6570(4 x 6 = 24 bit),\u518d\u6620\u5c04\u5230\u4e00\u4e2a Base64 \u5b57\u7b26\u8868\u4e2d\u3002<\/p>\n Base64 \u5b57\u7b26\u8868:<\/p>\n A-Z a-z 0-9 + \/
\n\u5171 64 \u4e2a\u5b57\u7b26<\/p>\n \n\u7f16\u7801\u503c\u5b57\u7b26\u8303\u56f4<\/tr>\n \n\n| 0-25<\/td>\n | A-Z<\/td>\n<\/tr>\n | \n| 26-51<\/td>\n | a-z<\/td>\n<\/tr>\n | \n| 52-61<\/td>\n | 0-9<\/td>\n<\/tr>\n | \n| 62<\/td>\n | +<\/td>\n<\/tr>\n | \n| 63<\/td>\n | \/<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \u586b\u5145\u7b26 =: \u5f53\u539f\u59cb\u6570\u636e\u4e0d\u662f 3 \u5b57\u8282\u6574\u6570\u500d\u65f6,\u4f1a\u7528 = \u8fdb\u884c\u8865\u9f50,1 \u4e2a\u6216 2 \u4e2a =\u3002<\/p>\n \u793a\u4f8b:<\/p>\n \u7f16\u7801\u539f\u59cb\u5b57\u7b26\u4e32:abc<\/p>\n 1)\u5c06\u6bcf\u4e2a\u5b57\u7b26\u8f6c\u6362\u4e3a ASCII(\u4e8c\u8fdb\u5236)<\/p>\n a: 01100001
\nb: 01100010
\nc: 01100011
\n\u2192 \u62fc\u63a5:011000010110001001100011<\/p>\n 2)\u6309 6 \u4f4d\u62c6\u5206\u4e3a:<\/p>\n 011000 010110 001001 100011
\n\u5341\u8fdb\u5236:24 22 9 35
\n\u6620\u5c04: Y W J j<\/p>\n \u7ed3\u679c:YWJj<\/p>\n Python \u6f14\u793a:<\/p>\n import base64<\/p>\n # \u7f16\u7801
\ntext = "abc"
\nencoded = base64.b64encode(text.encode()) # b'YWJj'
\nprint(encoded.decode())<\/p>\n # \u89e3\u7801
\ndecoded = base64.b64decode(encoded).decode()
\nprint(decoded)<\/p>\n 2.\u00a0Base64 \u7684\u4f7f\u7528\u573a\u666f<\/h4>\n\n\u573a\u666f\u793a\u4f8b<\/tr>\n \n\n| JWT<\/td>\n | header.payload.signature \u4e2d\u7684 header \u548c payload \u662f base64url \u7f16\u7801<\/td>\n<\/tr>\n | \n| \u56fe\u7247<\/td>\n | <img src="data:image\/png;base64,XXX"><\/td>\n<\/tr>\n | \n| \u6587\u4ef6\u4e0a\u4f20<\/td>\n | \u6587\u4ef6\u5185\u5bb9\u8f6c\u4e3a base64 \u53d1\u9001\u5230\u670d\u52a1\u5668<\/td>\n<\/tr>\n | \n| HTTP Basic Auth<\/td>\n | Authorization: Basic dXNlcjpwYXNz(user:pass \u7684 base64)<\/td>\n<\/tr>\n | \n| URL \u53c2\u6570<\/td>\n | \u6570\u636e\u8f6c\u4e3a base64 \u518d\u653e\u5230 URL \u4e2d\u4f20\u8f93<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n | | | | | | | | | |