Skip to content

java_sec_code_v20200407

Latest
Compare
Choose a tag to compare
@JoyChou93 JoyChou93 released this 07 Apr 12:57
· 23 commits to master since this release
  • Added Hook Socket function to solve SSRF DNS Rebinding bypass;
  • Fixed the bug that SSRF solution can cause DOS problem;
  • Fixed the bug that SSRF's internal network blacklist IP can be bypassed by 127.0.0.1;
  • Add the function of package uploading to dockerhub;
  • Added RCE vulnerability caused by xstream;
  • Added code injection vulnerability;
  • Added XXE vulnerability caused by XMLReader;
  • Added XXE vulnerability caused by DocumentHelper;
  • Added XXE vulnerability caused by poi-ooxml and xlsx-streamer;
  • Added JSON hijacking vulnerability caused by MappingJackson2JsonView;
  • Added Cors vulnerability code, and provide solution for verifying first-level domain names;
  • Added SSRF vulnerability caused by IOUtils and Jsoup;
  • Added Mybatis SQL injection vulnerability;
  • Added the security verification function of Content-Type for file upload;
  • Added the function of jumping to the page before login after login;
  • Added the security verification function of Ojbect automatically transferring to Jsonp;
  • Add relevant code for obtaining cookies;
  • Added getRequestURI () to cause permission bypass vulnerability;
  • Added storage XSS vulnerability;
  • The security configuration of SSRF and URL is changed from code to XML;

  • 新增Hook Socket功能解决SSRF DNS Rebinding绕过;
  • 修复SSRF解决方案可导致DOS问题的bug;
  • 修复SSRF的内网黑名单IP可被127.0.0.1绕过的bug;
  • 新增应用打包上传到dockerhub功能;
  • 新增xstream导致的RCE漏洞;
  • 新增代码注入漏洞;
  • 新增XMLReader导致的XXE漏洞;
  • 新增DocumentHelper导致的XXE漏洞;
  • 新增poi-ooxmlxlsx-streamer导致的XXE漏洞;
  • 新增MappingJackson2JsonView导致的JSON劫持漏洞;
  • 新增多处造成Cors的漏洞代码,并提供校验一级域名(默认只支持多级域名)防御方案;
  • 新增IOUtilsJsoup导致的SSRF漏洞;
  • 新增Mybatis SQL注入漏洞;
  • 新增文件上传对Content-Type的安全校验功能;
  • 新增页面登录后跳转到登录前的页面功能;
  • 新增Ojbect自动转Jsonp的安全校验功能;
  • 新增Cookie获取的相关方式代码;
  • 新增getRequestURI()导致权限绕过漏洞;
  • 新增存储型XSS漏洞;
  • SSRF和URL的安全配置从代码里变成XML里获取;