URL whtielist Bypass

描述

用java.net.URL类的getHost被绕过情况

测试环境

Java 1.8.0_102
Chrome 74.0.3729.169

相关源代码

@RequestMapping("/url_bypass")
@ResponseBody
public String url_bypass(HttpServletRequest request) throws Exception{
    String url = request.getParameter("url");
    System.out.println("url:  " + url);
    URL u = new URL(url);
    // 判断是否是http(s)协议
    if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
        return "Url is not http or https";
    }
    String host = u.getHost().toLowerCase();
    System.out.println("host:  " + host);
    if (host.endsWith("." + "joychou.org")) {
        return "good url";
    } else {
        return "bad url";
    }
}

原理

https://localhost:8080/url/url_bypass?url=https://evil.com%23@www.joychou.org/a.html, URL类getHost为www.joychou.org，在白名单中。但是通过浏览器直接访问https://evil.com#@www.joychou.org/a.html，浏览器请求的是evil.com，导致绕过。

当getHost的域名在白名单内，并且getHost的域名和浏览器实际请求域名不一致，就会产生安全问题。

POC	url	getHost	Chrome	是否绕过	是否能跟path
https://evil.com%23@www.joychou.org/a.html	https://evil.com#@www.joychou.org/a.html	www.joychou.org	https://evil.com/	是	不能
https://evil.com%5c@www.joychou.org/a.html	https://evil.com\@www.joychou.org/a.html	www.joychou.org	https://evil.com/@www.joychou.org/a.html	是	能
https://evil.com%5cwww.joychou.org/a.html	https://evil.com\www.joychou.org/a.html	evil.com\www.joychou.org	https://evil.com/www.joychou.org/a.html	是	能

其他

url白名单绕过的各种payload：

url	Chrome	是否访问evil.com
https://www.joychou.org#@evil.com/a.html	www.joychou.org	否
https://www.joychou.org%23@evil.com/a.html	https://evil.com/a.html	是
https://evil.com\www.joychou.org/a.html	https://evil.com/www.joychou.org/a.html	是
https://evil.com\@www.joychou.org/a.html	https://evil.com/@www.joychou.org/a.html	是
https://evil.com?%0a@www.joychou.org/	https://evil.com/?%0a@www.joychou.org/	是

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

URL whtielist Bypass

描述

测试环境

相关源代码

原理

其他

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally