add jsonp cors

Author: JoyChou93

.gitignore

@@ -1,4 +1,5 @@
 .idea/
 .DS_Store
 target/
+other-vuls/
 *.iml

README.md

@@ -21,6 +21,8 @@
 - [URL白名单Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)
 - [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
 - [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
+- [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
+- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java)
 
 
 ## 漏洞说明

src/main/java/org/joychou/controller/CORS.java

@@ -0,0 +1,64 @@
+package org.joychou.controller;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.joychou.utils.Security;
+
+/**
+ * @author: JoyChou
+ * @date:   2018年10月24日
+ * @desc:   只要Access-Control-Allow-Origin为*，或者可被绕过，就存在CORS跨域
+ */
+
+@Controller
+@RequestMapping("/cors")
+public class CORS {
+
+    protected static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
+    protected static String[] urlwhitelist = {"joychou.com", "joychou.me"};
+
+    /**
+     *
+     * @param request
+     * @param response
+     * @desc: 当origin为空，即直接访问的情况下，response的header中不会出现Access-Control-Allow-Origin
+     */
+    @RequestMapping("/vuls1")
+    @ResponseBody
+    private static String vuls1(HttpServletRequest request, HttpServletResponse response) {
+        // 获取Header中的Origin
+        String origin = request.getHeader("origin");
+
+        response.setHeader("Access-Control-Allow-Origin", origin); // 设置Origin值为Header中获取到的
+        // response.setHeader("Access-Control-Allow-Methods", "POST, GET");
+        // response.setHeader("Access-Control-Allow-Credentials", "true");  // cookie
+        return info;
+    }
+
+    @RequestMapping("/vuls2")
+    @ResponseBody
+    private static String vuls2(HttpServletResponse response) {
+        response.setHeader("Access-Control-Allow-Origin", "*");
+        // response.setHeader("Access-Control-Allow-Methods", "POST, GET");
+        // response.setHeader("Access-Control-Allow-Credentials", "true");
+        return info;
+    }
+
+    @RequestMapping("/sec")
+    @ResponseBody
+    private static String seccode(HttpServletRequest request, HttpServletResponse response) {
+        String origin = request.getHeader("Origin");
+        Security sec = new Security();
+        if (!sec.checkSafeUrl(origin, urlwhitelist)) {
+            return "Origin is not safe.";
+        }
+        response.setHeader("Access-Control-Allow-Origin", "*");
+        // response.setHeader("Access-Control-Allow-Methods", "POST, GET");
+        // response.setHeader("Access-Control-Allow-Credentials", "true");
+        return info;
+    }
+
+
+}

src/main/java/org/joychou/controller/Fastjson.java

@@ -17,8 +17,10 @@ public class Fastjson {
     @RequestMapping(value = "deserialize", method = {RequestMethod.POST })
     @ResponseBody
     public static String Deserialize(@RequestBody String params) {
+        // 如果Content-Type不设置application/json格式，post数据会被url编码
         System.out.println(params);
         try {
+            // 将post提交的string转换为json
             JSONObject ob = JSON.parseObject(params);
             return ob.get("name").toString();
         }catch (Exception e){

src/main/java/org/joychou/controller/JSONP.java

@@ -0,0 +1,50 @@
+package org.joychou.controller;
+
+import org.joychou.utils.Security;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+
+/**
+ * @author  JoyChou
+ * @date    2018年10月24日
+ */
+
+@Controller
+@RequestMapping("/jsonp")
+public class JSONP {
+
+    protected static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
+    protected static String[] urlwhitelist = {"joychou.com", "joychou.me"};
+
+
+    // http://localhost:8080/jsonp/referer?callback=test
+    @RequestMapping("/referer")
+    @ResponseBody
+    private static String referer(HttpServletRequest request, HttpServletResponse response) {
+        // JSONP的跨域设置
+        response.setHeader("Access-Control-Allow-Origin", "*");
+        String callback = request.getParameter("callback");
+        return callback + "(" + info + ")";
+    }
+
+
+    // http://localhost:8080/jsonp/sec?callback=test
+    @RequestMapping("/sec")
+    @ResponseBody
+    private static String sec(HttpServletRequest request, HttpServletResponse response) {
+        // JSONP的跨域设置
+        response.setHeader("Access-Control-Allow-Origin", "*");
+        String referer = request.getHeader("referer");
+        Security sec = new Security();
+        if (!sec.checkSafeUrl(referer, urlwhitelist)) {
+            return "Referer is not safe.";
+        }
+        String callback = request.getParameter("callback");
+        return callback + "(" + info + ")";
+    }
+
+
+}

src/main/java/org/joychou/utils/Security.java

@@ -0,0 +1,37 @@
+package org.joychou.utils;
+
+import com.google.common.net.InternetDomainName;
+import java.net.URL;
+
+public class Security {
+    /**
+     * @param url
+     * @return 安全url返回true，危险url返回false
+     */
+    public static Boolean checkSafeUrl(String url, String[] urlwhitelist){
+        try{
+            URL u = new URL(url);
+            // 判断是否是http(s)协议
+            if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
+                System.out.println("The protocol of url is not http or https.");
+                return false;
+            }
+            String host = u.getHost().toLowerCase();
+            // 如果非顶级域名后缀会报错
+            String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
+
+            for (String whiteurl: urlwhitelist){
+                if (rootDomain.equals(whiteurl)) {
+                    return true;
+                }
+            }
+
+            System.out.println("Url is not safe.");
+            return false;
+        }catch (Exception e) {
+            System.out.println(e.toString());
+            e.printStackTrace();
+            return false;
+        }
+    }
+}