Java代码审计全面指南<\/h1>

1. Java编译与反编译<\/h2>

1.1 Java编译过程<\/h3>

Java源代码 → (编译) → Java字节码 → (解释器) → 机器码<\/li>

字节码优势：高效、可移植性高<\/li> <\/ul>

1.2 反编译工具<\/h3>

Fernflower<\/li>
JAD<\/li>
JD-GUI<\/li>

IDEA自带插件<\/li> <\/ul>

2. Servlet与JSP<\/h2>

2.1 Servlet<\/h3>

处理复杂服务端业务逻辑<\/li>
含有HttpServlet类，可进行重写<\/li>
Servlet 3.0后使用注解方式描述Servlet<\/li>

3.0前必须在web.xml中配置<\/li> <\/ul>

2.2 JSP<\/h3>

会被编译成Java类文件<\/li>
是特殊的Servlet<\/li>

在Tomcat中Jasper编译后生成

_jsp.java<\/code>和_jsp.class<\/code>文件<\/li>
<\/ul>
3. 全局控制器与过滤器<\/h2>
3.1 全局控制器搜索<\/h3>
find ~\/cms\/ -type f -name "*.class"<\/span> | xargs grep -E "Controller|@RestController|RepositoryRestController"<\/span>
<\/span><\/span>find ~\/cms\/ -type f -name "*.class"<\/span> | xargs grep -E "RequestMapping|GetMapping|PostMapping|PutMapping|DeleteMapping|PatchMapping|RepositoryRestResource"<\/span>
<\/span><\/span><\/code><\/pre>3.2 全局过滤器<\/h3>

审计时先检查是否存在全局过滤器<\/li>
常见写法：<\/li>
<\/ul>
<filter><\/span>
<\/span><\/span>  <filter-name><\/span>SecurityFilter<\/filter-name><\/span>
<\/span><\/span>  <filter-class><\/span>com.example.SecurityFilter<\/filter-class><\/span>
<\/span><\/span>  <init-param><\/span>
<\/span><\/span>    <param-name><\/span>sqlInjIgnoreUrls<\/param-name><\/span>
<\/span><\/span>    <param-value><\/span>.*\/api\/.*<\/param-value><\/span>
<\/span><\/span>  <\/init-param><\/span>
<\/span><\/span><\/filter><\/span>
<\/span><\/span><filter-mapping><\/span>
<\/span><\/span>  <filter-name><\/span>SecurityFilter<\/filter-name><\/span>
<\/span><\/span>  <url-pattern><\/span>\/*<\/url-pattern><\/span>
<\/span><\/span><\/filter-mapping><\/span>
<\/span><\/span><\/code><\/pre>4. 常见漏洞类型<\/h2>
4.1 代码实现安全问题<\/h3>

任意文件操作(上传\/下载\/遍历\/删除\/重命名)<\/li>
SQL注入<\/li>
XXE(XML实体注入)<\/li>
表达式执行(SpEL\/OGNL\/MVEL2\/EL)<\/li>
系统命令执行(ProcessBuilder)<\/li>
反序列化攻击<\/li>
Java反射攻击<\/li>
SSRF<\/li>
XSS<\/li>
<\/ul>
4.2 业务安全问题<\/h3>

认证\/授权缺陷<\/li>
验证码缺陷<\/li>
密码找回逻辑问题<\/li>
支付逻辑缺陷<\/li>
ORM框架误用<\/li>
CSRF漏洞<\/li>
前端信任问题<\/li>
敏感信息泄露<\/li>
条件竞争<\/li>
请求频率限制缺失<\/li>
弱加密算法<\/li>
<\/ul>
5. SQL注入审计<\/h2>
5.1 直接拼接风险<\/h3>
String sql =<\/span> "SELECT * FROM users WHERE username = '"<\/span> +<\/span> request.<\/span>getParameter<\/span>(<\/span>"name"<\/span>)<\/span> +<\/span> "'"<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>5.2 预编译使用错误<\/h3>
\/\/ 错误示例：占位符但未使用set方法
<\/span><\/span><\/span><\/span>PreparedStatement st =<\/span> conn.<\/span>prepareStatement<\/span>(<\/span>"SELECT * FROM users WHERE username = ?"<\/span>);<\/span>
<\/span><\/span>st.<\/span>setString<\/span>(<\/span>1<\/span>,<\/span> request.<\/span>getParameter<\/span>(<\/span>"name"<\/span>));<\/span>  \/\/ 必须使用set方法
<\/span><\/span><\/span><\/code><\/pre>5.3 MyBatis框架审计<\/h3>

搜索$<\/code>符号<\/li>
#{}<\/code>安全，${}<\/code>存在风险<\/li>
模糊查询风险：like '%${xxx}%'<\/code><\/li>
无需引号处风险：in(${xxx})<\/code>或order by ${xxx}<\/code><\/li>
<\/ul>
6. 表达式注入(SpEL\/OGNL)<\/h2>
6.1 SpEL注入示例<\/h3>
String el =<\/span> "T(java.lang.Runtime).getRuntime().exec(\"open \/tmp\")"<\/span>;<\/span>
<\/span><\/span>ExpressionParser PARSER =<\/span> new<\/span> SpelExpressionParser();<\/span>
<\/span><\/span>Expression exp =<\/span> PARSER.<\/span>parseExpression<\/span>(<\/span>el);<\/span>
<\/span><\/span>exp.<\/span>getValue<\/span>();<\/span>  \/\/ 执行命令
<\/span><\/span><\/span><\/code><\/pre>6.2 审计要点<\/h3>

检查SpelExpressionParser<\/code>使用处<\/li>
检查表达式是否用户可控<\/li>
<\/ul>
7. XSS漏洞<\/h2>
7.1 示例代码<\/h3>
@RequestMapping<\/span>(<\/span>"\/xss"<\/span>)<\/span>
<\/span><\/span>public<\/span> ModelAndView xss<\/span>(<\/span>HttpServletRequest request)<\/span> {<\/span>
<\/span><\/span>    String name =<\/span> request.<\/span>getParameter<\/span>(<\/span>"name"<\/span>);<\/span>
<\/span><\/span>    ModelAndView mav =<\/span> new<\/span> ModelAndView(<\/span>"page"<\/span>);<\/span>
<\/span><\/span>    mav.<\/span>getModel<\/span>().<\/span>put<\/span>(<\/span>"uname"<\/span>,<\/span> name);<\/span>  \/\/ 未转义直接输出
<\/span><\/span><\/span><\/span>    return<\/span> mav;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>8. SSRF漏洞<\/h2>
8.1 风险代码<\/h3>
String url =<\/span> request.<\/span>getParameter<\/span>(<\/span>"picurl"<\/span>);<\/span>
<\/span><\/span>URL pic =<\/span> new<\/span> URL(<\/span>url);<\/span>
<\/span><\/span>HttpURLConnection con =<\/span> (<\/span>HttpURLConnection)<\/span> pic.<\/span>openConnection<\/span>();<\/span>
<\/span><\/span>BufferedReader in =<\/span> new<\/span> BufferedReader(<\/span>new<\/span> InputStreamReader(<\/span>con.<\/span>getInputStream<\/span>()));<\/span>
<\/span><\/span><\/code><\/pre>8.2 审计要点<\/h3>

检查支持的协议：file<\/code>\/ftp<\/code>\/http<\/code>\/https<\/code>等<\/li>
检查相关函数：

HttpClient.execute<\/code><\/li>
HttpURLConnection.connect<\/code><\/li>
URL.openStream<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
9. XXE漏洞<\/h2>
9.1 风险代码<\/h3>
SAXReader sax =<\/span> new<\/span> SAXReader();<\/span>
<\/span><\/span>Document document =<\/span> sax.<\/span>read<\/span>(<\/span>new<\/span> ByteArrayInputStream(<\/span>xmldata.<\/span>getBytes<\/span>()));<\/span>
<\/span><\/span><\/code><\/pre>9.2 修复方案<\/h3>
saxReader.<\/span>setFeature<\/span>(<\/span>"http:\/\/apache.org\/xml\/features\/disallow-doctype-decl"<\/span>,<\/span> true<\/span>);<\/span>
<\/span><\/span>saxReader.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-general-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>saxReader.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-parameter-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>10. 反序列化漏洞<\/h2>
10.1 风险点<\/h3>
InputStream in =<\/span> request.<\/span>getInputStream<\/span>();<\/span>
<\/span><\/span>ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>in);<\/span>
<\/span><\/span>ois.<\/span>readObject<\/span>();<\/span>  \/\/ 反序列化用户可控数据
<\/span><\/span><\/span><\/code><\/pre>10.2 审计要点<\/h3>
检查以下方法：<\/p>

ObjectInputStream.readObject<\/code><\/li>
XMLDecoder.readObject<\/code><\/li>
Yaml.load<\/code><\/li>
XStream.fromXML<\/code><\/li>
ObjectMapper.readValue<\/code><\/li>
JSON.parseObject<\/code><\/li>
<\/ul>
10.3 修复方案<\/h3>

白名单校验<\/li>
使用ValidatingObjectInputStream<\/code><\/li>
<\/ul>
ValidatingObjectInputStream ois =<\/span> new<\/span> ValidatingObjectInputStream(<\/span>bais);<\/span>
<\/span><\/span>ois.<\/span>accept<\/span>(<\/span>SafeClass.<\/span>class<\/span>);<\/span>  \/\/ 只允许反序列化指定类
<\/span><\/span><\/span><\/code><\/pre>11. 文件操作漏洞<\/h2>
11.1 路径遍历<\/h3>
File file =<\/span> new<\/span> File(<\/span>request.<\/span>getParameter<\/span>(<\/span>"path"<\/span>));<\/span>
<\/span><\/span>\/\/ 应使用getCanonicalPath()而非getAbsolutePath()
<\/span><\/span><\/span><\/code><\/pre>11.2 ZIP文件提取风险<\/h3>
ZipEntry entry;<\/span>
<\/span><\/span>while<\/span> ((<\/span>entry =<\/span> zis.<\/span>getNextEntry<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>    FileOutputStream fos =<\/span> new<\/span> FileOutputStream(<\/span>entry.<\/span>getName<\/span>());<\/span>  \/\/ 未校验路径
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>11.3 修复方案<\/h3>
File f =<\/span> new<\/span> File(<\/span>intendedDir,<\/span> entryName);<\/span>
<\/span><\/span>String canonicalPath =<\/span> f.<\/span>getCanonicalPath<\/span>();<\/span>
<\/span><\/span>if<\/span> (!<\/span>canonicalPath.<\/span>startsWith<\/span>(<\/span>intendedDirCanonicalPath))<\/span> {<\/span>
<\/span><\/span>    throw<\/span> new<\/span> IllegalStateException(<\/span>"非法路径"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>12. 第三方组件安全<\/h2>
12.1 常见风险组件<\/h3>

Struts2<\/li>
Fastjson<\/li>
不安全的编辑控件<\/li>
<\/ul>
12.2 审计方法<\/h3>

检查组件版本<\/li>
检查已知漏洞<\/li>
<\/ul>
13. 其他重要漏洞<\/h2>
13.1 URL重定向<\/h3>
String site =<\/span> request.<\/span>getParameter<\/span>(<\/span>"url"<\/span>);<\/span>
<\/span><\/span>response.<\/span>sendRedirect<\/span>(<\/span>site);<\/span>  \/\/ 未校验URL
<\/span><\/span><\/span><\/code><\/pre>13.2 Autobinding<\/h3>
@RequestMapping<\/span>(<\/span>"\/reset"<\/span>)<\/span>
<\/span><\/span>public<\/span> String resetHandler<\/span>(<\/span>@ModelAttribute<\/span> User user)<\/span> {<\/span>
<\/span><\/span>    \/\/ 可能绑定不需要的字段
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>13.3 WebService<\/h3>

检查?wsdl<\/code>接口<\/li>
使用BurpSuite WSDL插件测试<\/li>
<\/ul>
14. 审计工具与方法<\/h2>
14.1 代码搜索技巧<\/h3>

全局搜索关键字符串：sql<\/code>\/xml<\/code>\/Runtime.exec<\/code>等<\/li>
使用IDE的全局搜索功能<\/li>
<\/ul>
14.2 重点关注点<\/h3>

用户输入点<\/li>
外部数据解析<\/li>
敏感操作<\/li>
权限校验<\/li>
<\/ul>
15. 总结<\/h2>
Java代码审计需要全面考虑代码实现和业务逻辑两方面的安全问题，重点关注用户输入处理、数据解析、权限控制等关键环节，结合框架特性和业务场景进行深入分析。<\/p>

Java代码审计全面指南<\/h1>

1. Java编译与反编译<\/h2>

2. Servlet与JSP<\/h2>

3. 全局控制器与过滤器<\/h2>

4. 常见漏洞类型<\/h2>

5. SQL注入审计<\/h2>

6. 表达式注入(SpEL\/OGNL)<\/h2>

7. XSS漏洞<\/h2>

8. SSRF漏洞<\/h2>

9. XXE漏洞<\/h2>

10. 反序列化漏洞<\/h2>

11. 文件操作漏洞<\/h2>

12. 第三方组件安全<\/h2>

13. 其他重要漏洞<\/h2>

14. 审计工具与方法<\/h2>

15. 总结<\/h2> Java代码审计需要全面考虑代码实现和业务逻辑两方面的安全问题，重点关注用户输入处理、数据解析、权限控制等关键环节，结合框架特性和业务场景进行深入分析。<\/p>

15. 总结<\/h2>
Java代码审计需要全面考虑代码实现和业务逻辑两方面的安全问题，重点关注用户输入处理、数据解析、权限控制等关键环节，结合框架特性和业务场景进行深入分析。<\/p>