1.CSRF
Referer过滤不严
if((referer!=null) && (referer.trim().startsWith("www.testdomain.com"))){}
2.SSRF
String url=request.getParameter("url");
URL u=new URL(url);
URLConnection urlConnection=u.openConnection();
HttpURLConnection httpURLConnection=(HttpURLConnection)urlConnection;
BufferedReader base=new BufferedReader(new InputStreamReader(httpURLConnection.getInputStream(),"UTF-8"));
| 函数 |
| HttpClient.execute() |
| HttpClient.executeMethod() |
| HttpURLConnection.concert() |
| HttpURLConnection.getInputStream() |
| URL.openStream() |
| HttpServletRequest() |
| BasicHttpEntityEnclosingRequest() |
| DefaultBHttpClientConnection() |
| BasicHttpRequest |
3.URL跳转
response.sendRedirect(url);
错误的限制url=http://www.baidu.com@renren.com
String trustUrl="http://www.baidu.com";
String url=request.getParameter("url");
String getUrl=url.substring(0, trustUrl.length());
if (getUrl.equals(trustUrl)){
response.sendRedirect(url);
}
4.文件上传
错误判断文件名后缀
String suffixName=fileName.substring(fileName.indexOf("."),fileName.length());
重点关注的类
| 函数或类名 |
| File |
| lastIndexOf |
| indexOf |
| Fileupload |
| getRealPath |
| getServletPath |
| getPathInfo |
| getContentType |
| equalsIgnoredCase |
| FileUtils |
| MultipartFile |
| MultipartRequestEntity |
| UploadHandleServlet |
| FileLoadServlet |
| getInputStream |
| DiskFileItemFactory |
任意文件下载
主要关注
FileInputStream
String filename=request.getParameter("filename");
InputStream inputStream=new FileInputStream(filename);
byte[] b =new byte[1024];
int len=0;
while ((len= inputStream.read(b))>0){
response.getOutputStream().write(b,0,len);
}
response.getOutputStream().close();
inputStream.close();
6.5WEB后门
java.lang.Runtime.exec()
java.lang.ProcessBuilder.start()
6.6逻辑漏洞
略
6.7前端不安全配置
略
6.8拒绝服务
略
6.9点击劫持
略
6.10 http参数污染
略