URLRedirect url redirect vulnerability is also called url arbitrary jump vulnerability. The website trusts user input and causes malicious attacks. URL redirection is mainly used for phishing. For example, the most common jump in url jump is the login port and payment port, that is, once logged in, it will jump to any website constructed by itself. If it is set to its own url, it will cause phishing.
Common places for url jump
1. I think login jump is the most common jump type, and it will jump after authentication, so it is recommended to observe the url parameters more when logging in.
2. After the user shares and collects content, it will jump
3. After cross-site authentication and authorization, it will jump
4. When clicking on other URL links on the site, it will jump
5. There will also be redirects on some user interaction pages. If you want to fill in the review of customer service, the review will be redirected to the home page, fill in the questionnaire, and other services, pay attention to the URL.
6. Jump after the business is completed. This can be summarized as a type of jump, such as modifying the password, jumping to the login page after the modification is completed, binding the bank card, returning to the bank card recharge page after the binding is successful, or giving a link to apply for a VIP, but you need to authenticate your identity to access this business. At this time, you will usually give a link, and after authentication, jump to the page where you just want to apply for a VIP.
Commonly used parameters for url jump
- redirect
- url
- redirectUrl
- callback
- return_url
- toUrl
- ReturnUrl
- fromUrl
- redUrl
- request
- redirect_to
- redirect_url
- jump
- jump_to
- target
- to
- goto
- link
- linkto
- domain
- oauth_callback
Core code:
Redirection jump (ViewResolver):
@GetMapping("/redirect")
public String redirect(@RequestParam("url") String url) {
return "redirect:" + url;
}301 Jump:
@RequestMapping("/setHeader")
@ResponseBody
public static void setHeader(HttpServletRequest request, HttpServletResponse response) {
String url = ("url");
(HttpServletResponse.SC_MOVED_PERMANENTLY); // 301 redirect
("Location", url);
}302 Jump:
@RequestMapping("/sendRedirect")
@ResponseBody
public static void sendRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException {
String url = ("url");
(url); // 302 redirect
}How to fix:
Forward (go to), redirection within the server, forwarded to another program through RequestDispatcher in the Servlet to process the request, and the requested data is still there. Therefore, forward is equivalent to the client sending a request to the server once, and the server processes it twice, and the request data will not disappear and the URL address will only change once.
Only internal jumps
@RequestMapping("/forward")
@ResponseBody
public static void forward(HttpServletRequest request, HttpServletResponse response) {
String url = ("url");
RequestDispatcher rd = (url);
try {
(request, response);
} catch (Exception e) {
();
}
}Check the input parameters through checkURL
@RequestMapping("/sendRedirect/sec")
@ResponseBody
public void sendRedirect_seccode(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String url = ("url");
if ((url) == null) {
(HttpServletResponse.SC_FORBIDDEN);
().write("url forbidden");
return;
}
(url);
}
}follow up
/**
* Support first-level domain names and multi-level domain names at the same time. The relevant configuration is in the url/url_safe_domain.xml file under the resources directory.
* Priority is given to judge the blacklist, if the blacklist is satisfied, return null.
*
* @param url the url need to check
* @return Safe url returns original url; Illegal url returns null;
*/
public static String checkURL(String url) {
if (null == url){
return null;
}
ArrayList<String> safeDomains = ();
ArrayList<String> blockDomains = ();
try {
String host = gethost(url);
// Must http/https if (!isHttp(url)) {
return null;
}
// Return null if blacklist is satisfied if ((host)){
return null;
}
for(String blockDomain: blockDomains) {
if(("." + blockDomain)) {
return null;
}
}
// Support multi-level domain names if ((host)){
return url;
}
// Support first-level domain names for(String safedomain: safeDomains) {
if(("." + safedomain)) {
return url;
}
}
return null;
} catch (NullPointerException e) {
(());
return null;
}
}Check whether the relevant url is in its own configuration, and if it is not there, it will return NULL.
This is the article about solving the problem of URL redirection in Java code audit. For more related Java URL redirection content, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!