CORS跨域漏洞修复
原文链接: https://www.cnblogs.com/wenyoudo/p/14862701.html
漏洞介绍
概述:CORS,跨域资源共享(Cross-origin resource sharing),是H5提供的一种机制,WEB应用程序可以通过在HTTP增加字段来告诉浏览器,哪些不同来源的服务器是有权访问本站资源的,当不同域的请求发生时,就出现了跨域的现象。当该配置不当的时候,就导致资源被恶意操作
潜在危害:中
测试方法
1、可以通过浏览器的控制台的network,查看接口的请求包response头中Access-Control-Allow-Origin是否设置为*
2、 也可以通过抓包工具,查看接口返回的response中是Access-Control-Allow-Origin是否设置为*
漏洞案例
1、配置Access-Control-Allow-Origin为 *
2、配置Access-Control-Allow-Origin 但是该值可控
修复方案
tomcat CORS的配置
使用过滤器进行配置,代码如下:
package filter;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.ws.http.HTTPException;
@WebFilter("/Cors")
public class CorsFilter implements Filter {
/**
* Default constructor.
*/
public FilterConfig config;
public CorsFilter() {
// TODO Auto-generated constructor stub
}
/**
* @see Filter#destroy()
*/
public void destroy() {
// TODO Auto-generated method stub
this.config = null;
}
/**
* @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
//配置可信域名
String[] authhosts = {"http://www.abc.com:8008","http://www.abcyy.com"};
String authost = "";
HttpServletRequest httprequest = (HttpServletRequest) request;
String origin = httprequest.getHeader("origin");
HttpServletResponse httpresponse = (HttpServletResponse) response;
if(origin != null && !Arrays.asList(authhosts).contains(origin)) {
httpresponse.sendError(403);
return;
}
else {
for(int i=0;i<authhosts.length;i++) {
if(i!=authhosts.length - 1) {
authost = authost + authhosts[i]+",";
}else {
authost = authost + authhosts[i];
}
}
httpresponse.addHeader("Access-Control-Allow-Origin", authost);
httpresponse.addHeader("Access-Control-Allow-Methods",
"GET, POST");
httpresponse.addHeader("Access-Control-Allow-Headers",
"origin, content-type, accept, x-requested-with, sid, mycustom, smuser");
chain.doFilter(request, response);
}
}
@Override
public void init(FilterConfig arg0) throws ServletException {
// TODO 自动生成的方法存根
}
}
nginx CORS配置
ocation / {
set $flag 0;
if ($http_origin = '')
{
set $flag "${flag}1";
}
if ($http_origin !~* ^(http|https)://www\.abc\.com$){
set $flag "${flag}1";
}
if ($flag = "01"){
return 403;
}
if ($http_origin ~* ^(http|https)://www\.abc\.com$) {
add_header Access-Control-Allow-Origin $http_origin;
add_header Access-Control-Allow-Methods GET,POST;
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Allow-Headers DNT,Keep-Alive,User-Agent,If-Modified-Since,Cache-Control,Content-Type;
}
}
