主页 > 网络知识 > Java代码审计入门:WebGoat8(再会)

Java代码审计入门:WebGoat8(再会)

WebGoat8系列文章:前情回顾

数字观星 Jack Chan(Saturn),再会篇为Java代码审计入门:WebGoat8系列的第二篇,意为与WebGoat8再次相会。本篇我们将一起看看WebGoat8中的Authentication Bypasses和JWT相关安全问题。

Authentication Bypasses 认证绕过

这节课程首先给了我们一个2016年的PayPal双因子密码重置的漏洞:攻击者通过去掉安全问题验证报文中的两个安全问题,结果通过了验证,从而达到了身份认证绕过。 

Java代码审计入门:WebGoat8(再会)

 

看完真实案例后,我们的随堂作业是要绕过一个相似的密码重置功能。这个时候,很容易就会尝试运用刚刚学会的姿势,截包将两个安全问题删除,发包。然后就收到:Not quite, please try again.

很真实,应验了那句话:老师教的和案例展示的都不会考。 

Java代码审计入门:WebGoat8(再会)

从刚刚截包中获取路径“/auth-bypass/verify-account”,全局去搜索,追踪到相关代码:

 

VerifyAccount.java

package org.owasp.webgoat.plugin; import com.google.common.collect.Lists; import org.jcodings.util.Hash; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.session.UserSessionData; import org.owasp.webgoat.session.WebSession; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.*; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; /** * Created by jason on 1/5/17. */ @AssignmentPath("/auth-bypass/verify-account") @AssignmentHints({"auth-bypass.hints.verify.1", "auth-bypass.hints.verify.2", "auth-bypass.hints.verify.3", "auth-bypass.hints.verify.4"}) public class VerifyAccount extends AssignmentEndpoint { @Autowired private WebSession webSession; @Autowired UserSessionData userSessionData; @PostMapping(produces = {"application/json"}) @ResponseBody public AttackResult completed(@RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req) throws ServletException, IOException { AccountVerificationHelper verificationHelper = new AccountVerificationHelper(); Map<String,String> submittedAnswers = parseSecQuestions(req); //进行作弊检测 if (verificationHelper.didUserLikelylCheat((HashMap)submittedAnswers)) { return trackProgress(failed() .feedback("verify-account.cheated") .output("Yes, you guessed correcctly,but see the feedback message") .build()); } // else //进行账号验证 if (verificationHelper.verifyAccount(new Integer(userId),(HashMap)submittedAnswers)) { userSessionData.setValue("account-verified-id", userId); return trackProgress(success() .feedback("verify-account.success") .build()); } else { return trackProgress(failed() .feedback("verify-account.failed") .build()); } } //安全问题解析,将包含“secQuestion”的参数名及对应参数存放在userAnswers(类型为Map)中。 private HashMap<String,String> parseSecQuestions (HttpServletRequest req) { Map <String,String> userAnswers = new HashMap<>(); List<String> paramNames = Collections.list(req.getParameterNames()); for (String paramName : paramNames) { //String paramName = req.getParameterNames().nextElement(); if (paramName.contains("secQuestion")) { userAnswers.put(paramName,req.getParameter(paramName)); } } return (HashMap)userAnswers; } }

其中主要用到:

说点什么吧
  • 全部评论(0
    还没有评论,快来抢沙发吧!