FilesExpand file tree

 master

/

Cookies.java

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

87 lines (66 loc) · 2.39 KB

 master

/

Cookies.java

Top

File metadata and controls

• Code
• Blame

87 lines (66 loc) · 2.39 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

package org.joychou.controller;

import org.springframework.web.bind.annotation.CookieValue;

import org.springframework.web.bind.annotation.GetMapping;

import org.springframework.web.bind.annotation.RequestMapping;

import javax.servlet.http.Cookie;

import javax.servlet.http.HttpServletRequest;

import org.joychou.util.WebUtils;

import org.springframework.web.bind.annotation.RestController;

import static org.springframework.web.util.WebUtils.getCookie;

/**

* 某些应用获取用户身份信息可能会直接从cookie中直接获取明文的nick或者id，导致越权问题。

*/

@RestController

@RequestMapping("/cookie")

public class Cookies {

private static String NICK = "nick";

@GetMapping(value = "/vuln01")

public String vuln01(HttpServletRequest req) {

String nick = WebUtils.getCookieValueByName(req, NICK); // key code

return "Cookie nick: " + nick;

}

@GetMapping(value = "/vuln02")

public String vuln02(HttpServletRequest req) {

String nick = null;

Cookie[] cookie = req.getCookies();

if (cookie != null) {

nick = getCookie(req, NICK).getValue(); // key code

}

return "Cookie nick: " + nick;

}

@GetMapping(value = "/vuln03")

public String vuln03(HttpServletRequest req) {

String nick = null;

Cookie cookies[] = req.getCookies();

if (cookies != null) {

for (Cookie cookie : cookies) {

// key code. Equals can also be equalsIgnoreCase.

if (NICK.equals(cookie.getName())) {

nick = cookie.getValue();

}

}

}

return "Cookie nick: " + nick;

}

@GetMapping(value = "/vuln04")

public String vuln04(HttpServletRequest req) {

String nick = null;

Cookie cookies[] = req.getCookies();

if (cookies != null) {

for (Cookie cookie : cookies) {

if (cookie.getName().equalsIgnoreCase(NICK)) { // key code

nick = cookie.getValue();

}

}

}

return "Cookie nick: " + nick;

}

@GetMapping(value = "/vuln05")

public String vuln05(@CookieValue("nick") String nick) {

return "Cookie nick: " + nick;

}

@GetMapping(value = "/vuln06")

public String vuln06(@CookieValue(value = "nick") String nick) {

return "Cookie nick: " + nick;

}

}