Jayway JsonPath参数走私导致的权限绕过分析<\/h1>

0x00 前言<\/h2>
本文详细分析由于JSON解析器差异导致的参数走私和权限绕过问题，重点探讨Jayway JsonPath与Jackson解析器的不同行为。<\/p>

0x01 背景知识<\/h2>

JSON解析器差异<\/h3>

Fastjson与Jackson的差异<\/strong>：<\/p>

Fastjson反序列化时对大小写不敏感<\/li>
Jackson默认大小写敏感（MapperFeature.ACCEPT_CASE_INSENSITIVE_PROPERTIES<\/code>默认false）<\/li>
两者对重复键的处理：默认保留最后一个键值对<\/li> <\/ul> <\/li>
Spring Boot默认配置<\/strong>：<\/p> DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES<\/code>默认关闭<\/li> 通过JacksonAutoConfiguration<\/code>类配置<\/li> 使用Jackson2ObjectMapperBuilder<\/code>创建ObjectMapper<\/code><\/li> <\/ul> <\/li> <\/ol> 0x02 Jayway JsonPath解析分析<\/h2> 1.1 JsonSmartJsonProvider解析流程<\/h3> 入口点<\/strong>：<\/p> com.jayway.jsonpath.spi.json.JsonSmartJsonProvider#parse<\/code><\/li> 最终调用net.minidev.json.parser.JSONParserBase#parse<\/code><\/li> <\/ul> <\/li> 解析过程<\/strong>：<\/p> 读取第一个字符，准备开始解析<\/li> 调用readFirst<\/code>方法开始解析<\/li> 处理空白字符（空格、制表符、换行符等）<\/li> <\/ul> <\/li> 对象解析<\/strong>：<\/p> 遇到{<\/code>字符时调用readObject(mapper)<\/code><\/li> 检查解析深度（默认限制400）<\/li> 循环读取键值对<\/li> <\/ul> <\/li> 键值处理<\/strong>：<\/p> 引号处理：双引号或单引号<\/li> 非引号字符串使用readNQString(stopKey)<\/code><\/li> 包含转义字符\<\/code>时调用readString2<\/code><\/li> <\/ul> <\/li> 特殊字符处理<\/strong>：<\/p> ASCII控制字符（\u0000<\/code>到\u001f<\/code>）默认抛出异常<\/li> \u007F<\/code>（删除控制字符）会被跳过处理<\/li> <\/ul> <\/li> 值设置<\/strong>：<\/p> 使用Map维护键值对<\/li> 重复键值保留最后一个<\/li> <\/ul> <\/li> <\/ol> 1.2 与Jackson的解析差异<\/h3> 控制字符处理<\/strong>：<\/p> Jackson的ALLOW_UNESCAPED_CONTROL_CHARS<\/code>默认false<\/li> 遇到未转义控制字符会抛出异常<\/li> <\/ul> <\/li> \u007F<\/code>处理<\/strong>：<\/p> JsonSmartJsonProvider会跳过<\/li> Jackson会正常处理<\/li> <\/ul> <\/li> <\/ol> 0x03 绕过技术分析<\/h2> 构造恶意请求<\/h3> 利用Unicode转义<\/strong>：<\/p> { <\/span><\/span> "activit\\u0079Id"<\/span>: 1<\/span>, <\/span><\/span> "activit\\u0079Id\u007F"<\/span>: 3<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> 解析结果差异<\/strong>：<\/p> JsonSmartJsonProvider解析：将\u0079<\/code>解码为y<\/code><\/li> 跳过\u007F<\/code><\/li> 最终读取activityId<\/code>值为3<\/li> <\/ul> <\/li> Jackson解析：将\u0079<\/code>解码为y<\/code><\/li> 保留\u007F<\/code><\/li> 最终读取activityId<\/code>值为1<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 实际攻击场景<\/h3> 攻击流程<\/strong>：<\/p> 第一个参数设置他人资源ID<\/li> 第二个参数（含\u007F<\/code>）设置当前用户资源ID<\/li> 前端校验通过他人ID<\/li> 后端处理使用当前用户ID<\/li> <\/ul> <\/li> 代码示例<\/strong>：<\/p> String body =<\/span> "{\"activit\\u0079Id\":1,\"activit\\u0079Id\u007F\":3}"<\/span>;<\/span> <\/span><\/span> <\/span><\/span>\/\/ Jackson解析 <\/span><\/span><\/span><\/span>ObjectMapper objectMapper =<\/span> new<\/span> ObjectMapper();<\/span> <\/span><\/span>objectMapper.<\/span>configure<\/span>(<\/span>DeserializationFeature.<\/span>FAIL_ON_UNKNOWN_PROPERTIES<\/span>,<\/span> false<\/span>);<\/span> <\/span><\/span>User user =<\/span> objectMapper.<\/span>readValue<\/span>(<\/span>body,<\/span> User.<\/span>class<\/span>);<\/span> <\/span><\/span>System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"jackson parse result:"<\/span> +<\/span> user.<\/span>getActivityId<\/span>());<\/span> \/\/ 输出1 <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ JsonSmartJsonProvider解析 <\/span><\/span><\/span><\/span>DocumentContext context =<\/span> JsonPath.<\/span>parse<\/span>(<\/span>body);<\/span> <\/span><\/span>System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"JsonSmartJsonProvider parse result:"<\/span> +<\/span> <\/span><\/span> (<\/span>String)<\/span>context.<\/span>read<\/span>(<\/span>"$.activityId"<\/span>,<\/span> String.<\/span>class<\/span>,<\/span> new<\/span> Predicate[<\/span>0<\/span>]));<\/span> \/\/ 输出3 <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x04 防御措施<\/h2> 统一解析器<\/strong>：<\/p> 配置JsonPath使用Jackson解析器： Configuration.<\/span>setDefaults<\/span>(<\/span>new<\/span> Configuration.<\/span>Defaults<\/span>()<\/span> {<\/span> <\/span><\/span> private<\/span> final<\/span> JsonProvider jsonProvider =<\/span> new<\/span> JacksonJsonProvider();<\/span> <\/span><\/span> private<\/span> final<\/span> MappingProvider mappingProvider =<\/span> new<\/span> JacksonMappingProvider();<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> JsonProvider jsonProvider<\/span>()<\/span> {<\/span> <\/span><\/span> return<\/span> jsonProvider;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> MappingProvider mappingProvider<\/span>()<\/span> {<\/span> <\/span><\/span> return<\/span> mappingProvider;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> Set<<\/span>Option><\/span> options<\/span>()<\/span> {<\/span> <\/span><\/span> return<\/span> EnumSet.<\/span>noneOf<\/span>(<\/span>Option.<\/span>class<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>});<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 输入验证<\/strong>：<\/p> 过滤控制字符<\/li> 验证参数格式和内容<\/li> <\/ul> <\/li> 安全配置<\/strong>：<\/p> 启用FAIL_ON_UNKNOWN_PROPERTIES<\/code><\/li> 配置严格的JSON解析选项<\/li> <\/ul> <\/li> <\/ol> 0x05 总结<\/h2> 本文详细分析了由于Jayway JsonPath与Jackson解析器差异导致的参数走私问题，重点介绍了利用Unicode控制字符实现的权限绕过技术。防御的关键在于保持JSON解析模式的一致性，并实施严格的输入验证。<\/p>

Jayway JsonPath参数走私导致的权限绕过分析<\/h1>

0x00 前言<\/h2> 本文详细分析由于JSON解析器差异导致的参数走私和权限绕过问题，重点探讨Jayway JsonPath与Jackson解析器的不同行为。<\/p>

0x01 背景知识<\/h2>

0x02 Jayway JsonPath解析分析<\/h2>

0x03 绕过技术分析<\/h2>

0x05 总结<\/h2> 本文详细分析了由于Jayway JsonPath与Jackson解析器差异导致的参数走私问题，重点介绍了利用Unicode控制字符实现的权限绕过技术。防御的关键在于保持JSON解析模式的一致性，并实施严格的输入验证。<\/p>

0x00 前言<\/h2>
本文详细分析由于JSON解析器差异导致的参数走私和权限绕过问题，重点探讨Jayway JsonPath与Jackson解析器的不同行为。<\/p>

0x05 总结<\/h2>
本文详细分析了由于Jayway JsonPath与Jackson解析器差异导致的参数走私问题，重点介绍了利用Unicode控制字符实现的权限绕过技术。防御的关键在于保持JSON解析模式的一致性，并实施严格的输入验证。<\/p>