During the use of the j2ee framework, the features and bad habits of the framework may cause security problems: unauthorized operations

Source: Internet
Author: User

// Ps: this is also a common problem. We all know why some people make this mistake. (Not every Internet company has SDL. Currently, the company has a large business, the architecture is not necessarily complete, and the security architecture is even more important )? The author is also here (check that a simple application implemented by the simple MVC framework has encountered similar problems. Although there is no harm, I feel that the habits during development are very important, can avoid some security issues), leave a base here. If you want to perform security games in another day, maybe you can use it as a basic teaching material for j2ee Security Development Training. Haha! Security Vulnerabilities or problems are actually very simple.

 

Unauthorized operations: this is a common security issue. application developers or designers do not fully consider or consider access permissions. They hope to use an unknown access URL to send attackers who are not familiar with development, but they are easy to guess if they are familiar with it.

 

MVC framework, for example, Struts2 (similar to other common frameworks or self-written frameworks, we will not discuss the advantages of the frameworks here !), It makes a default specification similar to the access control, and can be used for operations of the same business object or DTO (note that the word "yes" here does not force you, but by default, you need to follow this process for development, which is determined by the developer .) Implemented in a class, and different operations (nothing more than: C (ADD) R (query) U (Change) D (delete) and other operations ,) it is implemented through different methods in the class, but it is the guidance of this specification plus some bad naming habits for implementation methods during development and the impact of many factors that may cause security problems, such:

 

For applications with permissions, if the website is a registered website, simply split the CRUD operation permissions (here we will only discuss excessive permissions, parallel permissions, and other issues without consideration !), C (add or register), and U (modify) users can be reached; R (query), D (delete) Only the administrator can operate, instance code:

Import com. opensymphony. xwork2.ActionSupport;

Public class MemberAction extends ActionSupport {

Public String register (){
// Register a user. The instance code is omitted...
Return REGISTER;
}


Public String add (){
// Save the user. The instance code is omitted...
Return ADD;
}

Public String getList (){
// Query the user. The instance code is omitted...
Return LIST;
}

// Other methods are omitted...

 


Public String execute (){


Return SUCCESS;
}


}

 

 

When the user registers, first access: http://xxx.xxx.xxx/member.do? Method = register Registration, then through: http://xxx.xxx.xxx/member.do? Method = add to save the data. If it is an attacker who understands the j2ee development process, it will immediately guess method = xxx other method names (such as keywords: list, getList) to access the Administrator permission: http://xxx.xxx.xxx/member.do? Method = getList.

 

 

This is definitely not an accident here. In actual development, the method name will not be complicated, and the developer will add, getList, delete, and so on at the beginning of the Framework learning, in this way, keyword selection similar to Enumeration type produces dependency, forming a habit. Attackers can easily guess it if they are familiar with it.

 

 

It is important to note that there is a major factor in this issue: the Framework provides a similar specification for the operation of a business object (the Framework does not force the operation in the same Action class, however, security issues may easily occur in combination with the context. This is mainly about this issue. Haha !)!

 

// The problem is too simple to describe, but the person you are doing security is doing these things repeatedly.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.