Java代码审计漏洞-URL跳转
Java代码审计漏洞-URL跳转
基础知识:https://www.cnblogs.com/-meditation-/p/16243218.html
漏洞代码
redirect、response.setHeader("Location", url)、sendRedirect 都可能存在漏洞
//redirect 重定向
@Controller
@RequestMapping("/urlRedirect")
public class URLRedirect {
/**
* http://localhost:8080/urlRedirect/redirect?url=http://www.baidu.com
*/
@GetMapping("/redirect")
public String redirect(@RequestParam("url") String url) {
return "redirect:" + url;
}
/**
* http://localhost:8080/urlRedirect/setHeader?url=http://www.baidu.com
*/
@RequestMapping("/setHeader")
@ResponseBody
public static void setHeader(HttpServletRequest request, HttpServletResponse response) {
String url = request.getParameter("url");
response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY); // 301 redirect 状态码
response.setHeader("Location", url); //设置访问的url
}
/**
* http://localhost:8080/urlRedirect/sendRedirect?url=http://www.baidu.com
*/
@RequestMapping("/sendRedirect")
@ResponseBody
public static void sendRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException {
String url = request.getParameter("url");
response.sendRedirect(url); // 302 redirect
}
安全代码
/**
* Safe code. Because it can only jump according to the path, it cannot jump according to other urls.
* http://localhost:8080/urlRedirect/forward?url=/urlRedirect/test
*/
@RequestMapping("/forward")
@ResponseBody
public static void forward(HttpServletRequest request, HttpServletResponse response) {
String url = request.getParameter("url");
RequestDispatcher rd = request.getRequestDispatcher(url);
try {
//属于转发,也可以称为内部重定向,相当于方法的调用,服务端跳转时,用户浏览器的地址栏的URl是不会变化的。
//这个请求不能转向到本web应用之外的页面和网站。
rd.forward(request, response);
} catch (Exception e) {
e.printStackTrace();
}
}
/**
* Safe code of sendRedirect.
* http://localhost:8080/urlRedirect/sendRedirect/sec?url=http://www.baidu.com
*/
@RequestMapping("/sendRedirect/sec")
@ResponseBody
public void sendRedirect_seccode(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String url = request.getParameter("url");
//checkURL 对URL做检验
if (SecurityUtil.checkURL(url) == null) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
response.getWriter().write("url forbidden");
return;
}
response.sendRedirect(url);
}
}
防御
1.对输入进行验证,严格控制要跳转的域名,不让用户对跳转地址进行任意输入
2.严格限制子域名,跳转地址采用白名单
3.只允许内部转发
本文来自博客园,作者:九天揽月丶,转载请注明原文链接:https://www.cnblogs.com/-meditation-/articles/16243853.html