第六章 OWASP Top 10 2017 之外常見漏洞程式碼審計
阿新 • • 發佈:2021-09-22
1.CSRF
Referer過濾不嚴
if((referer!=null) && (referer.trim().startsWith("www.testdomain.com"))){}
2.SSRF
String url=request.getParameter("url");
URL u=new URL(url);
URLConnection urlConnection=u.openConnection();
HttpURLConnection httpURLConnection=(HttpURLConnection)urlConnection;
BufferedReader base=new BufferedReader(new InputStreamReader(httpURLConnection.getInputStream(),"UTF-8"));
| 函式 |
| HttpClient.execute() |
| HttpClient.executeMethod() |
| HttpURLConnection.concert() |
| HttpURLConnection.getInputStream() |
| URL.openStream() |
| HttpServletRequest() |
| BasicHttpEntityEnclosingRequest() |
| DefaultBHttpClientConnection() |
| BasicHttpRequest |
3.URL跳轉
response.sendRedirect(url);
錯誤的限制url=http://[email protected]
String trustUrl="http://www.baidu.com";
String url=request.getParameter("url");
String getUrl=url.substring(0, trustUrl.length());
if (getUrl.equals(trustUrl)){
response.sendRedirect(url);
}
4.檔案上傳
錯誤判斷檔名字尾
String suffixName=fileName.substring(fileName.indexOf("."),fileName.length());
重點關注的類
| 函式或類名 |
| File |
| lastIndexOf |
| indexOf |
| Fileupload |
| getRealPath |
| getServletPath |
| getPathInfo |
| getContentType |
| equalsIgnoredCase |
| FileUtils |
| MultipartFile |
| MultipartRequestEntity |
| UploadHandleServlet |
| FileLoadServlet |
| getInputStream |
| DiskFileItemFactory |
任意檔案下載
主要關注
FileInputStream
String filename=request.getParameter("filename");
InputStream inputStream=new FileInputStream(filename);
byte[] b =new byte[1024];
int len=0;
while ((len= inputStream.read(b))>0){
response.getOutputStream().write(b,0,len);
}
response.getOutputStream().close();
inputStream.close();
6.5WEB後門
java.lang.Runtime.exec()
java.lang.ProcessBuilder.start()
6.6邏輯漏洞
略
6.7前端不安全配置
略
6.8拒絕服務
略
6.9點選劫持
略
6.10 http引數汙染
略