漏洞介紹
概述:CORS,跨域資源共享(Cross-origin resource sharing),是H5提供的一種機制,WEB應用程序可以通過在HTTP增加字段來告訴瀏覽器,哪些不同來源的服務器是有權訪問本站資源的,當不同域的請求發生時,就出現了跨域的現象。當該配置不當的時候,就導致資源被惡意操作
潛在危害:中
測試方法
1、可以通過瀏覽器的控制台的network,查看接口的請求包response頭中Access-Control-Allow-Origin是否設置為*
2、 也可以通過抓包工具,查看接口返回的response中是Access-Control-Allow-Origin是否設置為*
漏洞案例
1、配置Access-Control-Allow-Origin為 *
2、配置Access-Control-Allow-Origin 但是該值可控
修復方案
tomcat CORS的配置
使用過濾器進行配置,代碼如下:
package filter; import java.io.IOException; import java.io.UnsupportedEncodingException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.util.Arrays; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.xml.ws.http.HTTPException; @WebFilter("/Cors") public class CorsFilter implements Filter { /** * Default constructor. */ public FilterConfig config; public CorsFilter() { // TODO Auto-generated constructor stub } /** * @see Filter#destroy() */ public void destroy() { // TODO Auto-generated method stub this.config = null; } /** * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain) */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { //配置可信域名 String[] authhosts = {"http://www.abc.com:8008","http://www.abcyy.com"}; String authost = ""; HttpServletRequest httprequest = (HttpServletRequest) request; String origin = httprequest.getHeader("origin"); HttpServletResponse httpresponse = (HttpServletResponse) response; if(origin != null && !Arrays.asList(authhosts).contains(origin)) { httpresponse.sendError(403); return; } else { for(int i=0;i<authhosts.length;i++) { if(i!=authhosts.length - 1) { authost = authost + authhosts[i]+","; }else { authost = authost + authhosts[i]; } } httpresponse.addHeader("Access-Control-Allow-Origin", authost); httpresponse.addHeader("Access-Control-Allow-Methods", "GET, POST"); httpresponse.addHeader("Access-Control-Allow-Headers", "origin, content-type, accept, x-requested-with, sid, mycustom, smuser"); chain.doFilter(request, response); } } @Override public void init(FilterConfig arg0) throws ServletException { // TODO 自動生成的方法存根 } }
nginx CORS配置
ocation / { set $flag 0; if ($http_origin = '') { set $flag "${flag}1"; } if ($http_origin !~* ^(http|https)://www\.abc\.com$){ set $flag "${flag}1"; } if ($flag = "01"){ return 403; } if ($http_origin ~* ^(http|https)://www\.abc\.com$) { add_header Access-Control-Allow-Origin $http_origin; add_header Access-Control-Allow-Methods GET,POST; add_header Access-Control-Allow-Credentials true; add_header Access-Control-Allow-Headers DNT,Keep-Alive,User-Agent,If-Modified-Since,Cache-Control,Content-Type; } }