Skip to content

URL whtielist Bypass

JoyChou edited this page Jun 12, 2019 · 9 revisions

描述

用java.net.URL类的getHost被绕过情况

测试环境

  • Java 1.8.0_102
  • Chrome 74.0.3729.169

相关源代码

@RequestMapping("/url_bypass")
@ResponseBody
public String url_bypass(HttpServletRequest request) throws Exception{
    String url = request.getParameter("url");
    System.out.println("url:  " + url);
    URL u = new URL(url);
    // 判断是否是http(s)协议
    if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
        return "Url is not http or https";
    }
    String host = u.getHost().toLowerCase();
    System.out.println("host:  " + host);

    if (host.endsWith("." + "joychou.org")) {
        return "good url";
    } else {
        return "bad url";
    }
}

原理

http://localhost:8080/url/url_bypass?url=http://www.baidu.com%[email protected]/a.html, URL类getHost为www.joychou.org,在白名单中。但是通过浏览器直接访问http://www.baidu.com#@www.joychou.org/a.html, 浏览器请求的是www.baidu.com,导致绕过。

当getHost的域名在白名单内,并且getHost的域名和浏览器实际请求域名不一致,就会产生安全问题。

相关表格如下,实际利用过程中把test.joychou.org替换成evil.com。

POC url getHost Chrome 是否绕过 是否能跟path
http://test.joychou.org%[email protected]/a.html http://test.joychou.org#@www.joychou.org/a.html www.joychou.org http://test.joychou.org/ 不能
http://test.joychou.org%[email protected]/a.html http://test.joychou.org\@www.joychou.org/a.html www.joychou.org http://test.joychou.org/@www.joychou.org/a.html
http://test.joychou.org%5cwww.joychou.org/a.html http://test.joychou.org\www.joychou.org/a.html test.joychou.org\www.joychou.org http://test.joychou.org/www.joychou.org/a.html

其他

url白名单绕过的各种payload:

url Chrome 是否访问evil.com
http://www.joychou.org#@evil.com/a.html www.joychou.org
http://www.joychou.org%[email protected]/a.html http://evil.com/a.html
http://evil.com\www.joychou.org/a.html http://evil.com/www.joychou.org/a.html
http://evil.com\@www.joychou.org/a.html http://evil.com/@www.joychou.org/a.html
http://evil.com?%[email protected]/ http://evil.com/?%[email protected]/
Clone this wiki locally