Java代码审计漏洞-URL跳转

Java代码审计漏洞-URL跳转

基础知识:https://www.cnblogs.com/-meditation-/p/16243218.html

漏洞代码

redirectresponse.setHeader("Location", url)sendRedirect 都可能存在漏洞

//redirect 重定向
@Controller
@RequestMapping("/urlRedirect")
public class URLRedirect {

    /**
     * http://localhost:8080/urlRedirect/redirect?url=http://www.baidu.com
     */
    @GetMapping("/redirect")
    public String redirect(@RequestParam("url") String url) {
        return "redirect:" + url;
    }


    /**
     * http://localhost:8080/urlRedirect/setHeader?url=http://www.baidu.com
     */
    @RequestMapping("/setHeader")
    @ResponseBody
    public static void setHeader(HttpServletRequest request, HttpServletResponse response) {
        String url = request.getParameter("url");
        response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY); // 301 redirect 状态码
        response.setHeader("Location", url); //设置访问的url
    }


    /**
     * http://localhost:8080/urlRedirect/sendRedirect?url=http://www.baidu.com
     */
    @RequestMapping("/sendRedirect")
    @ResponseBody
    public static void sendRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException {
        String url = request.getParameter("url");
        response.sendRedirect(url); // 302 redirect
    }

安全代码

    /**
     * Safe code. Because it can only jump according to the path, it cannot jump according to other urls.
     * http://localhost:8080/urlRedirect/forward?url=/urlRedirect/test
     */
    @RequestMapping("/forward")
    @ResponseBody
    public static void forward(HttpServletRequest request, HttpServletResponse response) {
        String url = request.getParameter("url");
        RequestDispatcher rd = request.getRequestDispatcher(url);
        try {
          //属于转发,也可以称为内部重定向,相当于方法的调用,服务端跳转时,用户浏览器的地址栏的URl是不会变化的。
          //这个请求不能转向到本web应用之外的页面和网站。
            rd.forward(request, response);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    /**
     * Safe code of sendRedirect.
     * http://localhost:8080/urlRedirect/sendRedirect/sec?url=http://www.baidu.com
     */
    @RequestMapping("/sendRedirect/sec")
    @ResponseBody
    public void sendRedirect_seccode(HttpServletRequest request, HttpServletResponse response)
            throws IOException {
        String url = request.getParameter("url");
      //checkURL 对URL做检验
        if (SecurityUtil.checkURL(url) == null) {
            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
            response.getWriter().write("url forbidden");
            return;
        }
        response.sendRedirect(url);
    }
}

防御

1.对输入进行验证,严格控制要跳转的域名,不让用户对跳转地址进行任意输入
2.严格限制子域名,跳转地址采用白名单
3.只允许内部转发

posted @ 2022-05-07 19:15  九天揽月丶  阅读(405)  评论(0编辑  收藏  举报