1. 技术文章
  2. How to fix HTTP parameter/path pollution attack Spring Rest

How to fix HTTP parameter/path pollution attack Spring Rest

旧街凉风 提交于 2020-07-22 22:16:31

问题


Extracting parameters from HTTP message and getting resource URLs could be vulnerable to injection attacks that may change the semantics of the intended resource. Two classes of attacks are relevant here: HTTP parameter/path pollution (HPPP) and Server-Side Request Forgery (SSRF). Remember that our attacker has full control over the HTTP request or the HTTP response.

In an HPPP (HTTP parameter/path pollution attack), a parameter is used to compose the resource URL to be used to prepare a REST request for a resource (or generate an embedded link). The problem is that the attacker may either alter the path or add/overwrite unexpected parameters in the “query string”. Additionally, REST frameworks may use a parameter (like _method) to allow the specification of a REST verb different from the incoming HTTP method, so a GET request could be interpreted as a PUT operation. An attacker may change the semantics of the REST resource URL.

find more info here

Example :

For example: if testing the search_string parameter in the query string, the request URL would include that parameter name and value. 

http://example.com/?search_string=kittens

The particular parameter might be hidden among several other parameters, but the approach is the same; leave the other parameters in place and append the duplicate. 

http://example.com/?mode=guest&search_string=kittens&num_results=100

Append the same parameter with a different value 

http://example.com/?mode=guest&search_string=kittens&num_results=100&search_string=puppies

and submit the new request.

Question:

Spring Rest ,Spring MVC and Spring Security doesn't provide any in built support to fix HPPP issue.How can we fix inside of Spring frameworks ?


回答1:


After spending few hours , i have implemented following solution , let me know if you have any better approach to handle it.

1) I have added CustomHandler which implements HandlerInterceptor

2) Overriding preHandle method to read all input parameters

3) If input parameters not exist in my predefined list then throw exception.

Code :

import java.util.Collections;
import java.util.Enumeration;
import java.util.List;
import java.util.ListIterator;

import javax.naming.AuthenticationException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.codec.binary.Base64;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;

@Component
public class RequestInterceptor implements HandlerInterceptor {

    enum parameterChoices {
        inputParam1, inputParam2, inputParam3
    };

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
            throws Exception {

        if (request.getParameterNames() != null) {
            Enumeration<String> parametrs = request.getParameterNames();
            List<String> list = Collections.list(parametrs);
            ListIterator<String> litr = list.listIterator();

            while (litr.hasNext()) {

                if (!contains(litr.next())) {
                    throw new RuntimeException("HTTP parameter/path pollution attack Exception");
                }
            }

        }
        return true;
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
            ModelAndView modelAndView) throws Exception {
        System.out.println("---method executed---");
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
            throws Exception {
        System.out.println("---Request Completed---");
    }

    private boolean contains(String paramValue) {
        System.out.println("contains paramValue=" + paramValue);
        if (paramValue == null || paramValue == "") {
            return false;
        }

        for (parameterChoices type : parameterChoices.values()) {
            if (type.name().equals(paramValue)) {
                return true;
            }
        }

        return false;
    }

}

Now Register:

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;

@Configuration
public class AppConfig extends WebMvcConfigurerAdapter {

    @Autowired
    RequestInterceptor requestInterceptor ;

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(requestInterceptor );

    }
}


来源:https://stackoverflow.com/questions/45250843/how-to-fix-http-parameter-path-pollution-attack-spring-rest

标签
Spring
rest
spring-boot
spring-security
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!