若通過用戶輸入構建服務器端重定向路徑,攻擊者便能夠下載應用程序二進制碼(包括應用程序的類或 jar 文件)或者查看受保護的目錄下的任意文件。
Spring Webflow 使用視圖解析器將視圖名稱轉換為真實渲染語言。通常情況下,視圖解析器會限制帶有前綴和后綴的文件的類型和位置。然而,使用請求參數來指定視圖名稱可回避這一限制機制。
例 1:下面的 Spring Webflow 配置會使用請求參數指定視圖名稱。
<webflow:end-state id="finalStep" view="${requestParameters.url}"/>
<webflow:view-state id="showView" view="${requestParameters.test}">
<bean class="org.springframework.web.servlet.view.
InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/views/" />
<property name="suffix" value=".jsp" />
</bean>
InternalResourceViewResolver 會攜帶其配置中包含的前綴,然后連接通過視圖屬性傳遞的值,最終加上后綴。[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A4 Insecure Direct Object Reference
[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object References
[4] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 552
[5] Seth Ladd Expert Spring MVC and Web Flow
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.4
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8
[9] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Risky Resource Management - CWE ID 073
[10] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC