主页 > 网络知识 > Java代码审计入门篇:WebGoat 8(初见)(2)

Java代码审计入门篇:WebGoat 8(初见)(2)

 

Java代码审计入门篇:WebGoat 8(初见)

 

访问WebGoat8

:8080/WebGoat/

简约大气的界面扑面而来。一访问WebGoat项目,就跳转到/login页面,我们需要看一下这个登陆认证的处理流程是怎么样的,从而思考是否存在安全问题。

 

Java代码审计入门篇:WebGoat 8(初见)

 

Spring boot 登陆认证–WebSecurityConfig

问题

在代码中如何定位功能模块?

查找是否使用框架所提供对应的功能模块

通过路由定位功能模块

已知:
框架提供:Spring security 登录认证

Springboot路由「

@RequestMapping(path = PATH)

@GetMapping(path = PATH)

@PostMapping(path = PATH)
……

首先是尝试使用路由中的path特征“/login”,去全局搜索/login,可以找到WebSecurityConfig文件,通过查找资料也可以知道Spring boot可以通过编写WebSecurityConfig文件来设置相关的安全项(authentication和authorization),其中就包括了认证。所以可以非常确认WebSecurityConfig文件就是我们想要寻找的。

 

Java代码审计入门篇:WebGoat 8(初见)

 

WebSecurityConfig.java

import lombok.AllArgsConstructor; import org.owasp.webgoat.users.UserService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer; import org.springframework.security.core.userdetails.UserDetailsService; @Configuration @AllArgsConstructor @EnableWebSecurity // 注解开启Spring Security的功能 //WebSecurityConfigurerAdapter:重写它的方法来设置一些web的安全配置 public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private final UserService userDetailsService; @Override protected void configure(HttpSecurity http) throws Exception { ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http .authorizeRequests()//授权 .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "/registration", "/register.mvc").permitAll() .anyRequest().authenticated();//定义认证 security.and() .formLogin() .loginPage("/login")//认证页 .defaultSuccessUrl("/welcome.mvc", true)//认证成功转到/welcome.mvc .usernameParameter("username") .passwordParameter("password") .permitAll(); security.and() .logout().deleteCookies("JSESSIONID").invalidateHttpSession(true); security.and().csrf().disable(); http.headers().cacheControl().disable(); http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login")); } //// TODO: 11/18/2016 make this a little bit more configurabe last part at least @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/plugin_lessons/**", "/XXE/**"); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService); //.passwordEncoder(bCryptPasswordEncoder()); } @Bean @Override public UserDetailsService userDetailsServiceBean() throws Exception { return userDetailsService; } }
说点什么吧
  • 全部评论(0
    还没有评论,快来抢沙发吧!