bypass using URL class to getHost

Author: JoyChou93

src/main/java/org/joychou/controller/URLWhiteList.java

@@ -7,6 +7,7 @@
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.HttpServletRequest;
+import java.net.URI;
 import java.net.URL;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -89,17 +90,21 @@ public String indexOf(HttpServletRequest request) throws Exception{
         }
     }
 
-    // 安全代码
-    @RequestMapping("/seccode")
+    // URL类getHost方法被绕过造成的安全问题
+    // 绕过姿势：http://localhost:8080/url/seccode?url=http://www.taobao.com%[email protected]/, URL类getHost为joychou.com
+    // 直接访问http://www.taobao.com#@joychou.com/，浏览器请求的是www.taobao.com
+    @RequestMapping("/url")
     @ResponseBody
-    public String seccode(HttpServletRequest request) throws Exception{
+    public String urlVul(HttpServletRequest request) throws Exception{
         String url = request.getParameter("url");
+        System.out.println("url:  " + url);
         URL u = new URL(url);
         // 判断是否是http(s)协议
         if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
             return "URL is not http or https";
         }
         String host = u.getHost().toLowerCase();
+        System.out.println("host:  " + host);
         // 如果非顶级域名后缀会报错
         String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
 
@@ -111,4 +116,29 @@ public String seccode(HttpServletRequest request) throws Exception{
     }
 
 
+    // 安全代码
+    @RequestMapping("/seccode")
+    @ResponseBody
+    public String seccode(HttpServletRequest request) throws Exception{
+        String url = request.getParameter("url");
+        System.out.println("url:  " + url);
+        URI uri = new URI(url);
+        URL u = new URL(url);
+        // 判断是否是http(s)协议
+        if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
+            return "URL is not http or https";
+        }
+        // 使用uri获取host
+        String host = uri.getHost().toLowerCase();
+        System.out.println("host:  " + host);
+
+        // 如果非顶级域名后缀会报错
+        String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
+
+        if (rootDomain.equals(urlwhitelist)) {
+            return "URL is legal";
+        } else {
+            return "URL is illegal";
+        }
+    }
 }

src/main/java/org/joychou/utils/Security.java

@@ -1,6 +1,8 @@
 package org.joychou.utils;
 
 import com.google.common.net.InternetDomainName;
+
+import java.net.URI;
 import java.net.URL;
 
 public class Security {
@@ -11,12 +13,15 @@ public class Security {
     public static Boolean checkSafeUrl(String url, String[] urlwhitelist){
         try{
             URL u = new URL(url);
+            URI uri = new URI(url);
             // 判断是否是http(s)协议
             if (!u.getProtocol().startsWith("http") && !u.getProtocol().startsWith("https")) {
                 System.out.println("The protocol of url is not http or https.");
                 return false;
             }
-            String host = u.getHost().toLowerCase();
+            // 使用uri获取host
+            String host = uri.getHost().toLowerCase();
+
             // 如果非顶级域名后缀会报错
             String rootDomain = InternetDomainName.from(host).topPrivateDomain().toString();
 

src/main/resources/application.properties

@@ -1,3 +1,4 @@
 
 # Spring Boot Actuator Vulnerable Config
-management.security.enabled=false
+management.security.enabled=false
+logging.config=classpath:logback-online.xml