Home > Developer > Java

"Java" System vulnerability: Considerations for post-logon actions for users

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Project background:

SPRINGMVC + Mybatis + MySQL Database (Javaweb project development)

Related modules: Login, personal details modification, Order Details inquiry

Related Vulnerability Description :

  1. Login Verification Code: Login Verification Code must be in the background to do the verification, if only the foreground verification verification Code, the background is not verified, the first verification code may occur, through the tool to bypass the verification code for brute force cracking;

  2. Interceptor: to the login after the interface name such as the operation of personal information to use/USER or/admin interception, such as the user is not logged in, will automatically jump to the login page;

  3. Personal details of the modification: the user's information to be stored in the session, such as the user's ID, such as personal information modification, if it is a secret interface (that is, the modification of information does not require a password), modify the account information, you must not directly pass the user's ID to do a unique identity, When using the user's critical information, it is possible to obtain the current logged-in user's information from the session and prevent the user's personal information from being modified after the account is logged in as 3000001.

  4. Order Details Interface: If it is to query the user's order details, only through the order ID query, even if the interface name plus/user, interception of users who are not logged in, it is possible that other users can log in to find the details of non-personal orders. In this case, be sure to check the order details before verifying that the order is the current user's personal orders, that is, verify the ID in the session with the creator of the Order of the ID of the same, to prevent the disclosure of information;

(Note: The above loopholes really happened, sent to hope that the other new warning, but also hope to communicate with more people in the development of the problems encountered)

"Java" System vulnerability: Considerations for post-logon actions for users

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
vulnerability management for dummies tablets for disabled users mongodb for mysql users postgres for mysql users show grants for all users wordpress file manager for users test for apache struts vulnerability

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More