-
Notifications
You must be signed in to change notification settings - Fork 654
/
URLWhiteList.java
171 lines (132 loc) · 4.66 KB
/
URLWhiteList.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
package org.joychou.controller;
import org.joychou.security.SecurityUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.URL;
import java.util.ArrayList;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* The vulnerability code and security code of Java url whitelist.
* The security code is checking url whitelist.
*
* @author JoyChou ([email protected])
* @version 2018.08.23
*/
@RestController
@RequestMapping("/url")
public class URLWhiteList {
private String domainwhitelist[] = {"joychou.org", "joychou.com"};
private static final Logger logger = LoggerFactory.getLogger(URLWhiteList.class);
/**
* bypass poc: bypassjoychou.org
* http://localhost:8080/url/vuln/endswith?url=http://aaajoychou.org
*/
@GetMapping("/vuln/endsWith")
public String endsWith(@RequestParam("url") String url) {
String host = SecurityUtil.gethost(url);
for (String domain : domainwhitelist) {
if (host.endsWith(domain)) {
return "Good url.";
}
}
return "Bad url.";
}
/**
* It's the same with <code>indexOf</code>.
* <p>
* http://localhost:8080/url/vuln/contains?url=http://joychou.org.bypass.com
* http://localhost:8080/url/vuln/contains?url=http://bypassjoychou.org
*/
@GetMapping("/vuln/contains")
public String contains(@RequestParam("url") String url) {
String host = SecurityUtil.gethost(url);
for (String domain : domainwhitelist) {
if (host.contains(domain)) {
return "Good url.";
}
}
return "Bad url.";
}
/**
* bypass poc: bypassjoychou.org. It's the same with endsWith.
* http://localhost:8080/url/vuln/regex?url=http://aaajoychou.org
*/
@GetMapping("/vuln/regex")
public String regex(@RequestParam("url") String url) {
String host = SecurityUtil.gethost(url);
Pattern p = Pattern.compile("joychou\\.org$");
Matcher m = p.matcher(host);
if (m.find()) {
return "Good url.";
} else {
return "Bad url.";
}
}
/**
* The bypass of using {@link java.net.URL} to getHost.
* <p>
* <a href="http://localhost:8080/url/vuln/url_bypass?url=http://evil.com%[email protected]/a.html">bypass 1</a>
* <a href="http://localhost:8080/url/vuln/url_bypass?url=http://evil.com%5cwww.joychou.org/a.html">bypass 2</a>
*
* <p>
* <a href="https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass">More details</a>
*/
@GetMapping("/vuln/url_bypass")
public void url_bypass(String url, HttpServletResponse res) throws IOException {
logger.info("url: " + url);
if (!SecurityUtil.isHttp(url)) {
return;
}
URL u = new URL(url);
String host = u.getHost();
logger.info("host: " + host);
// endsWith .
for (String domain : domainwhitelist) {
if (host.endsWith("." + domain)) {
res.sendRedirect(url);
}
}
}
/**
* First-level & Multi-level host whitelist.
* http://localhost:8080/url/sec?url=http://aa.joychou.org
*/
@GetMapping("/sec")
public String sec(@RequestParam("url") String url) {
String whiteDomainlists[] = {"joychou.org", "joychou.com", "test.joychou.me"};
if (!SecurityUtil.isHttp(url)) {
return "SecurityUtil is not http or https";
}
String host = SecurityUtil.gethost(url);
for (String whiteHost: whiteDomainlists){
if (whiteHost.startsWith(".") && host.endsWith(whiteHost)) {
return url;
} else if (!whiteHost.startsWith(".") && host.equals(whiteHost)) {
return url;
}
}
return "Bad url.";
}
/**
* http://localhost:8080/url/sec/array_indexOf?url=http://ccc.bbb.joychou.org
*/
@GetMapping("/sec/array_indexOf")
public String sec_array_indexOf(@RequestParam("url") String url) {
// Define muti-level host whitelist.
ArrayList<String> whiteDomainlists = new ArrayList<>();
whiteDomainlists.add("bbb.joychou.org");
whiteDomainlists.add("ccc.bbb.joychou.org");
if (!SecurityUtil.isHttp(url)) {
return "SecurityUtil is not http or https";
}
String host = SecurityUtil.gethost(url);
if (whiteDomainlists.indexOf(host) != -1) {
return "Good url.";
}
return "Bad url.";
}
}