CORS跨域漏洞修复

原文链接: https://www.cnblogs.com/wenyoudo/p/14862701.html

漏洞介绍
概述：CORS，跨域资源共享（Cross-origin resource sharing），是H5提供的一种机制，WEB应用程序可以通过在HTTP增加字段来告诉浏览器，哪些不同来源的服务器是有权访问本站资源的，当不同域的请求发生时，就出现了跨域的现象。当该配置不当的时候，就导致资源被恶意操作
潜在危害：中

---

 

测试方法
1、可以通过浏览器的控制台的network，查看接口的请求包response头中Access-Control-Allow-Origin是否设置为*

2、 也可以通过抓包工具，查看接口返回的response中是Access-Control-Allow-Origin是否设置为*

漏洞案例
1、配置Access-Control-Allow-Origin为 *

 

 

 

 

 

 

2、配置Access-Control-Allow-Origin 但是该值可控

 

---

 

修复方案

tomcat CORS的配置

使用过滤器进行配置，代码如下：

 

package filter;import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.ws.http.HTTPException;@WebFilter("/Cors")
public class CorsFilter implements Filter {/*** Default constructor. */public FilterConfig config;public CorsFilter() {// TODO Auto-generated constructor stub}/*** @see Filter#destroy()*/public void destroy() {// TODO Auto-generated method stubthis.config = null;}/*** @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)*/public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {//配置可信域名String[]  authhosts = {"http://www.abc.com:8008","http://www.abcyy.com"};String authost = "";HttpServletRequest httprequest = (HttpServletRequest) request;String origin = httprequest.getHeader("origin"); HttpServletResponse httpresponse  =  (HttpServletResponse) response;if(origin != null &&  !Arrays.asList(authhosts).contains(origin)) {httpresponse.sendError(403);return;}else {for(int i=0;i<authhosts.length;i++) {if(i!=authhosts.length - 1) {authost = authost + authhosts[i]+",";}else {authost = authost + authhosts[i];}}httpresponse.addHeader("Access-Control-Allow-Origin", authost);httpresponse.addHeader("Access-Control-Allow-Methods","GET, POST");httpresponse.addHeader("Access-Control-Allow-Headers","origin, content-type, accept, x-requested-with, sid, mycustom, smuser");chain.doFilter(request, response);}}@Overridepublic void init(FilterConfig arg0) throws ServletException {// TODO 自动生成的方法存根}
}

 

nginx CORS配置

ocation / {set $flag 0;if ($http_origin = ''){set $flag "${flag}1";}if ($http_origin !~* ^(http|https)://www\.abc\.com$){set $flag "${flag}1";}if ($flag = "01"){return 403;}if ($http_origin ~* ^(http|https)://www\.abc\.com$) {add_header Access-Control-Allow-Origin $http_origin;add_header Access-Control-Allow-Methods GET,POST;add_header Access-Control-Allow-Credentials true;add_header Access-Control-Allow-Headers DNT,Keep-Alive,User-Agent,If-Modified-Since,Cache-Control,Content-Type;}
}