We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
日志注入攻击是将未经验证的用户输入写到日志文件中,可以允许攻击者伪造日志条目或将恶意内容注入到日志中。
如果用户提交val的字符串"twenty-one",则会记录以下条目:
INFO: Failed to parse val=twenty-one HACK: User logged in=badguy
然而,如果攻击者提交包含换行符%0d和%0a的字符串”twenty-one%0d%0aHACK:+User+logged+in%3dbadguy”,会记录以下条目:
显然,攻击者可以使用相同的机制插入任意日志条目。所以所有写入日志的条目必须去除\r和\n字符。
脆弱代码:
public void risk(HttpServletRequest request, HttpServletResponse response) { String val = request.getParameter("val"); try { int value = Integer.parseInt(val); out = response.getOutputStream(); } catch (NumberFormatException e) { e.printStackTrace(out); log.info(""Failed to parse val = "" + val); } }
解决方案:
public void risk(HttpServletRequest request, HttpServletResponse response) { String val = request.getParameter("val"); try { int value = Integer.parseInt(val); } catch (NumberFormatException e) { val = val.replace("\r", ""); val = val.replace("\n", ""); log.info(""Failed to parse val = "" + val); //不要直接 printStackTrace 输出错误日志 } }
The text was updated successfully, but these errors were encountered:
No branches or pull requests
日志注入攻击是将未经验证的用户输入写到日志文件中,可以允许攻击者伪造日志条目或将恶意内容注入到日志中。
如果用户提交val的字符串"twenty-one",则会记录以下条目:
然而,如果攻击者提交包含换行符%0d和%0a的字符串”twenty-one%0d%0aHACK:+User+logged+in%3dbadguy”,会记录以下条目:
显然,攻击者可以使用相同的机制插入任意日志条目。所以所有写入日志的条目必须去除\r和\n字符。
脆弱代码:
解决方案:
The text was updated successfully, but these errors were encountered: