第六章 OWASP Top 10 2017 之外常见漏洞代码审计

1.CSRF

Referer过滤不严

if((referer!=null) && (referer.trim().startsWith("www.testdomain.com"))){}

　　

2.SSRF

String url=request.getParameter("url");
    URL u=new URL(url);
    URLConnection urlConnection=u.openConnection();
    HttpURLConnection httpURLConnection=(HttpURLConnection)urlConnection;
    BufferedReader base=new BufferedReader(new InputStreamReader(httpURLConnection.getInputStream(),"UTF-8"));

　　

函数

HttpClient.execute()

HttpClient.executeMethod()

HttpURLConnection.concert()

HttpURLConnection.getInputStream()

URL.openStream()

HttpServletRequest()

BasicHttpEntityEnclosingRequest()

DefaultBHttpClientConnection()

BasicHttpRequest

 

3.URL跳转

response.sendRedirect(url);

　　

错误的限制url=http://www.baidu.com@renren.com

String trustUrl="http://www.baidu.com";
    String url=request.getParameter("url");
    String getUrl=url.substring(0, trustUrl.length());
    if (getUrl.equals(trustUrl)){
        response.sendRedirect(url);
    }

　　

4.文件上传

错误判断文件名后缀

String suffixName=fileName.substring(fileName.indexOf("."),fileName.length());

　　

重点关注的类

函数或类名

File

lastIndexOf

indexOf

Fileupload

getRealPath

getServletPath

getPathInfo

getContentType

equalsIgnoredCase

FileUtils

MultipartFile

MultipartRequestEntity

UploadHandleServlet

FileLoadServlet

getInputStream

DiskFileItemFactory

 

任意文件下载

主要关注

FileInputStream

String filename=request.getParameter("filename");
    InputStream inputStream=new FileInputStream(filename);
    byte[] b =new byte[1024];
    int len=0;
    while ((len= inputStream.read(b))>0){
        response.getOutputStream().write(b,0,len);
    }
    response.getOutputStream().close();
    inputStream.close();

　　

6.5WEB后门

java.lang.Runtime.exec()

java.lang.ProcessBuilder.start()

6.6逻辑漏洞

略

6.7前端不安全配置

略

6.8拒绝服务

略

6.9点击劫持

略

6.10 http参数污染

略