Buffalo DWR Vulnerability

Compile JavaCodeWe may often use buffalo to call Ajax, and publish a Java code directly to be remotely called by Js.

Method. At the same time, we may ignore the security issue. If the Java code is not as simple as reading data, it is to delete and update the database.

Or file operation method.

 

Hackers are likely to launch attacks using the following code. If this method is used to delete key data, it is dangerous.

 

Public static void post () throws httpexception, ioexception
{

// Request address
String serviceurl = http: // ×××: 8080/AAA/bfapp/Buffalo/userservice;

// Request Parameters
String strrequest = "<buffalo-call> <method> method name </method> </buffalo-call> ";


Postmethod post = new postmethod (serviceurl );
Post. addrequestheader (new header ("X-Buffalo-version", "2.0 "));
Post. addrequestheader (new header ("Content-Type", "text/XML; charset = UTF-8 "));
Requestentity entity = new stringrequestentity (strrequest );
Post. setrequestentity (entity );

Httpclient = new httpclient ();
Try {
Int result = httpclient.exe cutemethod (post );
// Display status code
System. Out. println ("response status code:" + result );
// Display response
System. Out. println ("response body :");
System. Out. println (post. getresponsebodyasstring ());
} Finally {
// Release current connection to the connection pool once you are done
Post. releaseconnection ();
}
}

 

Therefore, we should pay attention to method protection when calling and using buffalo. It is best to perform method verification in Java code when it involves the delete operation.

The service that publishes data is written to a class.