输入验证与表示问题是由元字符、交替编码和数字表示引起的。安全问题源于信任输入。这些问题包括:“Buffer Overflows”、“Cross-Site Scripting”攻击、“SQL Injection”等其他问题。
Content-Disposition
标头配置错误,攻击者可以控制 HTTP 响应的 Content-Type
和/或 Content-Disposition
标头,或者目标应用程序包含 Content-Type
(默认不会在浏览器中呈现)。ContentNegotiationManager
动态生成不同的响应格式,则满足发动 RFD 攻击的必要条件。ContentNegotiationManager
配置为根据请求路径扩展决定响应格式,使用 Java Activation Framework (JAF) 查找与客户端请求格式更匹配的 Content-Type
。同时,客户端也可以通过请求的 Accept
标头中发送的媒体类型来指定响应内容类型。示例 2:在以下示例中,应用程序配置为允许通过请求的
<bean id="contentNegotiationManager" class="org.springframework.web.accept.ContentNegotiationManagerFactoryBean">
<property name="favorPathExtension" value="true" />
<property name="useJaf" value="true" />
</bean>
Accept
标头确定响应内容类型:
<bean id="contentNegotiationManager" class="org.springframework.web.accept.ContentNegotiationManagerFactoryBean">
<property name="ignoreAcceptHeader" value="false" />
</bean>
ContentNegotiationManagerFactoryBean
属性默认值为:useJaf
:true
favorPathExtension
:true
ignoreAcceptHeader
:false
Example 1
中所示的配置允许攻击者创建一个恶意 URL,例如:ContentNegotiationManager
将使用 Java Activation Framework(如果在类路径中发现 activation.jar)尝试解析给定文件扩展名的媒体类型,并相应设置响应的 ContentType
标头。在此示例中,文件扩展名是“bat”,进而生成 application/x-msdownload
的 Content-Type
标头(尽管实际 Content-Type
可能因服务器 OS 和 JAF 配置而异)。因此,一旦受害者访问此恶意 URL,他/她的计算机将自动开始下载包含攻击者控制内容的“.bat”文件。如果随后执行此文件,受害者计算机将运行攻击者有效负载指定的任何命令。
...
PageReference ref = ApexPages.currentPage();
Map<String,String> params = ref.getParameters();
HttpRequest req = new HttpRequest();
req.setEndpoint(params.get('url'));
HTTPResponse res = new Http().send(req);
http
或 https
的协议,类似于下面这样:
string url = Request.Form["url"];
HttpClient client = new HttpClient();
HttpResponseMessage response = await client.GetAsync(url);
http
或 https
的协议,类似于下面这样:
char *url = maliciousInput();
CURL *curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL, url);
CURLcode res = curl_easy_perform(curl);
http
或 https
的协议,类似于下面这样:
...
final server = await HttpServer.bind('localhost', 18081);
server.listen((request) async {
final headers = request.headers;
final url = headers.value('url');
final client = IOClient();
final response = await client.get(Uri.parse(url!));
...
}
http
或 https
的协议,类似于下面这样:
url := request.Form.Get("url")
res, err =: http.Get(url)
...
http
或 https
的协议,类似于下面这样:
String url = request.getParameter("url");
CloseableHttpClient httpclient = HttpClients.createDefault();
HttpGet httpGet = new HttpGet(url);
CloseableHttpResponse response1 = httpclient.execute(httpGet);
http
或 https
的协议,类似于下面这样:
var http = require('http');
var url = require('url');
function listener(request, response){
var request_url = url.parse(request.url, true)['query']['url'];
http.request(request_url)
...
}
...
http.createServer(listener).listen(8080);
...
http
或 https
的协议,类似于下面这样:
val url: String = request.getParameter("url")
val httpclient: CloseableHttpClient = HttpClients.createDefault()
val httpGet = HttpGet(url)
val response1: CloseableHttpResponse = httpclient.execute(httpGet)
http
或 https
的协议,类似于下面这样:
$url = $_GET['url'];
$c = curl_init();
curl_setopt($c, CURLOPT_POST, 0);
curl_setopt($c,CURLOPT_URL,$url);
$response=curl_exec($c);
curl_close($c);
http
或 https
的协议,类似于下面这样:
url = request.GET['url']
handle = urllib.urlopen(url)
http
或 https
的协议,类似于下面这样:
url = req['url']
Net::HTTP.get(url)
http
或 https
的协议,类似于下面这样:
def getFile(url: String) = Action { request =>
...
val url = request.body.asText.getOrElse("http://google.com")
ws.url(url).get().map { response =>
Ok(s"Request sent to $url")
}
...
}
http
或 https
的协议,类似于下面这样: