修复WebSocket认证泄漏用户信息漏洞

背景

在对子公司送检的APP渗透测试中,经过反编译后,发现APP在连接websocket服务器接收消息时使用用户名,密码的形式进行认证。并且将明文的用户名,密码信息写在APP代码中。如下图所示

修复建议

ws协议认证建议通过生成token的机制验证,如:

@EnableWebSocketMessageBroker
public class WSContraller extends AbstractWebSocketMessageBrokerConfigurer{

    @Override
    public void registerStompEndpoints(StompEndpointRegistry registry) {

        registry.addEndpoint("/endPoint").addInterceptors(
                new HandshakeInterceptor(){

                    @Override
                    public void afterHandshake(ServerHttpRequest request,ServerHttpResponse response, WebSocketHandler handler,Exception e) {}
                    @Override
                    public boolean beforeHandshake(ServerHttpRequest request,ServerHttpResponse response, WebSocketHandler handler,
                            Map<String, Object> map) throws Exception {
                        ServletServerHttpRequest req = (ServletServerHttpRequest) request;
                        String token = req.getServletRequest().getParameter("token");
                        //检查token是否正确
                        boolean isPass = CommonUtil.checkToken(token);
                        if(isPass){
                            //业务操作
                            //......
                        }
                        return false;
                    }}
                ).setHandshakeHandler(
                new DefaultHandshakeHandler(){
                    @Override
                    protected Principal determineUser(ServerHttpRequest request, WebSocketHandler wsHandler, Map<String, Object> attributes) {
                        //设置认证用户
                        return (Principal)attributes.get("user");
                    }
                }
                ).setAllowedOrigins("*").withSockJS();
    }    
}

zhutougg

继续阅读此作者的更多文章