[Java] system vulnerabilities: Precautions for user logon operations, java User Logon
Project Background:
SpringMVC + Mybatis + MySql database (Java Web project development)
Related modules: logon, personal details modification, order details Query
Related vulnerabilities:
1. login verification code: the login verification code must be verified in the background. If the verification code is not verified in the background only after the verification code is verified in the foreground, the first verification code may occur, attackers can use a tool to bypass the verification code for brute-force cracking;
2. Interceptor: You must use/user or/admin to intercept the names of interfaces operated upon personal information. If the user is not logged on, the interceptor will automatically jump to the logon page;
3. modify personal details: the user information must be stored in the session, such as the user id, if the password-free interface is used (that is, the password is not required to modify the information), do not directly upload the user id as a unique identifier when modifying the account information. When using the user's key information, you can obtain information about the currently logged-on user from the session to prevent users with an account of 3000001 from modifying their personal information after logon;
4. order details interface: If you query the Order details of a user and only query the order id, even if the interface name is added with/user, the user not logged on is blocked, it is also possible that other users can query the details of non-personal orders after logging on. In this case, you must verify that the order is the personal order of the current login user before querying the Order details, that is, verify that the id in the session is consistent with the id of the created person of the order; prevent information leakage;
(Note: The above vulnerabilities have actually occurred. I hope other new users can take the initiative and communicate with more people about problems encountered in development)