Shulou(Shulou.com)05/31 Report--

How to fix the hole between any URL jump vulnerability and the getHost () method in JDK, many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

Arbitrary URL Jump vulnerability

The server does not check and control the incoming jump url variables, so any malicious address can be constructed maliciously to induce users to jump to malicious websites. Because it is redirected from a trusted site, users will be more trusted, so jump vulnerabilities are generally used for phishing attacks, deceiving users to enter user names and passwords to steal user information by going to malicious websites, or deceiving users into money transactions.

One of the most effective ways to fix this vulnerability is to verify the passed jump url parameter value to determine whether it is the expected domain name. The following methods can be used in java:

String url = request.getParameter ("returnUrl"); String host = ""; try {host = new URL (url). GetHost ();} catch (MalformedURLException e) {e.printStackTrace ();} if host.endsWith (".bbb.com") {/ / Jump} else {/ / do not jump, error report}

The above code mainly verifies the returnUrl parameter value sent by the client, uses the getHost () method in the java.net.URL package to obtain the host that will jump to url, and determines whether host is the target domain. The above code restricts the domain name that must be redirected to xxx.bbb.com, thus excluding the possibility of jumping to an untrusted domain name.

But is the getHost () method really reliable?

One of the pits of the getHost () method

It can be bypassed by a backslash, that is, the returnUrl= http://www.aaa.com\www.bbb.com is thought by the code to jump to bbb.com, but in fact, in the browser, the backslash is corrected to a forward slash, jumps to www.aaa.com/www.bbb.com, and eventually jumps to www.aaa.com 's server.

Test with the following code:

Public class Main {public static void main (String [] args) {String url = "https://www.aaa.com\\www.bbb.com?x=123"; String host ="; try {host = new URL (url). GetHost ();} catch (MalformedURLException e) {e.printStackTrace ();} System.out.println ("host---" + host) System.out.println ("url---" + url);}}

Is the domain name of the url parameter getHost () followed by www.aaa.com or www.bbb.com? The print result is as follows:

The result is judged to be true by the endsWith (".bbb.com") method, which successfully performs the jump, but actually jumps to the www.aaa.com site in the browser.

The second pitfall of getHost () method

The result of the getHost () method has different processing results for the pound sign # in different JDK versions. The pound sign is usually used as a page anchor. For the url of https://www.aaa.com#www.bbb.com?x=123, the result is www.aaa.com in the higher version of JDK and www.aaa.com#www.bbb.com in the lower version, so the lower version can bypass the endsWith (".bbb.com") method and jump successfully.

The high version here refers to java version 1.8.0 or java version 1.7.0, regardless of JDK7 or 8. Maybe java fixes the URL library in JDK6/7/8 at some point.

In the course of testing, it is found that 1.6.045 JDK 1.7.0411.8.0325 can be bypassed by #, that is, there are problems in different lower and middle versions of QR.

By comparing the rt.jar---java---net--URLStreamHandler.java code (the lower version is on the left and the higher version is on the right), you can find the problem as shown in the following figure. The start in the code is the colon position in url, and limit is the pound sign position in url:

As you can see from the code, the slash / or question mark in a full url is not taken into account in the lower version? Before, the pound sign # occurred. If there is a slash / or question mark in the url, the host is terminated with a slash or question mark, even if the pound sign is included in the middle. However, the position of the pound sign is judged in the high version, which rules out the possibility of using the pound sign to bypass. However, the JDK version of the online generation environment does not dare to upgrade casually, and can only be prevented in advance from the code.

The following figure shows the results of testing with different versions of JDK:

The same code prints out different host values in different JDK versions, and the pound sign and its subsequent parts are included in the earlier version.

Combining the above two pits, if you want to use getHost () to fix any URL jump vulnerability, you need to consider backslash and pound sign bypass, you can use the following code:

String url = request.getParameter ("returnUrl"); String host = ""; try {urlurl = url.replaceAll ("[\ #]," / "); / / replace the backslash and the pound sign host = new URL (url). GetHost ();} catch (MalformedURLException e) {e.printStackTrace ();} if host.endsWith (" .bbb.com ") {/ / Jump} else {/ No jump, error report}

A real example is attached.

The station can use a pound sign with a slash or a question mark to bypass domain name detection, that is, if target is set to URL-encoded https://www.baidu.com#www.bbb.com?x=123, the station can jump to Baidu.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.