碼上快樂

相關內容    簡體    繁體

從Java的角度簡單修復Cookie越權漏洞

本文轉載自   查看原文   2018-05-28 22:34   3285    從Java的角度修復安全漏洞

    技術實在是有限,講解cookie越權的時候可能有點簡單和粗糙。這里就簡單記錄學習下。

    首先自己寫一段存在漏洞的代碼code:

      sendCookie.java

          

package cookie;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class SendCookieServlet extends HttpServlet {

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        //服務器端生成set-cookie
        Cookie cookie = new Cookie("name", "admin");
        //設置cookie存活時間為十分鍾
        cookie.setMaxAge(60*10);
        //設置會話cookie允許的路徑
        //允許整個項目
        cookie.setPath("/");
        //將cookie中存儲的信息發送到客戶端---頭
        response.addCookie(cookie);
    }

    public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        doGet(request, response);
    }
}

      然后接收cookie中的鍵值,然后進行判斷

      GetCookieServlet代碼如下:
package cookie;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class GetCookieServlet extends HttpServlet {

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        // 獲取cookie的鍵值
        Cookie[] cookies = request.getCookies();
        request.setCharacterEncoding("UTF-8");
        response.setContentType("text/html;charset=UTF-8");
        String name=null;
        //判斷cookie不能為空
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                // 獲取鍵
                cookie.getName();
                if ("name".equals(cookie.getName())) {
                    name=cookie.getValue();
                }
            }
        }
        
        if(name.equals("admin")) {
            response.getWriter().write("歡迎admin登陸后台系統");
        }else {
            response.getWriter().write("歡迎xxx登陸后台系統");
        }
    }

    public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        doGet(request, response);
    }
}

 

    先訪問sendCookie然后訪問getCookie:

      默認是進入admin系統

      

 

因為cookie中存儲的name=admin,這里修復name=其他值

就越權進入了另一個系統

      

 

這里的問題就是沒有使用session進行敏感信息的存儲。 

  修復方案:驗證session的有效性,session和用戶是否匹配,以及用戶當前權限

  這里我把cookie的存儲方式改成seesion的存儲方式:  

  代碼如下:

      sendCookie:

        

package cookie;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

public class SendCookieServlet extends HttpServlet {

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        HttpSession session = request.getSession();
        session.setAttribute("name", "admin");
        String id = session.getId();
        //服務器端生成set-cookie
        Cookie cookie = new Cookie("JSESSIONID", id);
        //設置cookie存活時間為十分鍾
        cookie.setMaxAge(60*10);
        //設置會話cookie允許的路徑
        //允許整個項目
        cookie.setPath("/");
        //將cookie中存儲的信息發送到客戶端---頭
        response.addCookie(cookie);
    }

    public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        doGet(request, response);
    }
}

    getCookie代碼如下:

      

package cookie;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

public class GetCookieServlet extends HttpServlet {

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        request.setCharacterEncoding("UTF-8");
        response.setContentType("text/html;charset=UTF-8");
        HttpSession session = request.getSession();
        String name = (String) session.getAttribute("name");
        if(name.equals("admin")) {
            response.getWriter().write("歡迎admin登陸后台系統");
        }else {
            response.getWriter().write("歡迎xxx登陸后台系統");
        }
    }

    public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        doGet(request, response);
    }
}

  然后訪問sendCookie然后再getCookie:

    先正常訪問:

    

 

修改name=其他內容:

    

 

已經無法造成cookie的越權。事實證明使用session存儲需要進行操作的數據更安全!

    進行判斷的時候不要直接用cookie存儲。使用Session驗證。

      不忘初心,方得始終。

 

 

      

  

 

    

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 從Java角度修復SQL注入漏洞 從Java的角度修復文件下載漏洞 項目中遇到的水平越權漏洞及修復方法 邏輯漏洞介紹 & 越權訪問攻擊 & 修復建議 越權漏洞(二) 越權漏洞 越權漏洞 越權漏洞(一) JAVA代碼審計之越權漏洞 第十節 越權漏洞和身份繞過cookie和session
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM