CORS跨域漏洞修复

漏洞介绍
概述：CORS，跨域资源共享（Cross-origin resource sharing），是H5提供的一种机制，WEB应用程序可以通过在HTTP增加字段来告诉浏览器，哪些不同来源的服务器是有权访问本站资源的，当不同域的请求发生时，就出现了跨域的现象。当该配置不当的时候，就导致资源被恶意操作
潜在危害：中

---

测试方法
1、可以通过浏览器的控制台的network，查看接口的请求包response头中Access-Control-Allow-Origin是否设置为*

2、 也可以通过抓包工具，查看接口返回的response中是Access-Control-Allow-Origin是否设置为*

漏洞案例
1、配置Access-Control-Allow-Origin为 *

 

2、配置Access-Control-Allow-Origin 但是该值可控

---

修复方案

tomcat CORS的配置

使用过滤器进行配置，代码如下：

package filter;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.ws.http.HTTPException;

@WebFilter("/Cors")
public class CorsFilter implements Filter {

/**
     * Default constructor. 
     */
    public FilterConfig config;

 public CorsFilter() {
        // TODO Auto-generated constructor stub
    }

   /**
     * @see Filter#destroy()
     */
    public void destroy() {
        // TODO Auto-generated method stub
        this.config = null;
    }

  /**
     * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
     */
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        //配置可信域名
        String[]  authhosts = {"http://www.abc.com:8008","http://www.abcyy.com"};
        String authost = "";
        HttpServletRequest httprequest = (HttpServletRequest) request;
        String origin = httprequest.getHeader("origin"); 
        HttpServletResponse httpresponse  =  (HttpServletResponse) response;
        if(origin != null &&  !Arrays.asList(authhosts).contains(origin)) {
            httpresponse.sendError(403);
            return;
        }
        else {
            for(int i=0;i<authhosts.length;i++) {
                if(i!=authhosts.length - 1) {
                    authost = authost + authhosts[i]+",";
                }else {
                    authost = authost + authhosts[i];
                }
            }
            httpresponse.addHeader("Access-Control-Allow-Origin", authost);
            httpresponse.addHeader("Access-Control-Allow-Methods",
                    "GET, POST");
            httpresponse.addHeader("Access-Control-Allow-Headers",
                    "origin, content-type, accept, x-requested-with, sid, mycustom, smuser");
                chain.doFilter(request, response);
        }

   }



  @Override
    public void init(FilterConfig arg0) throws ServletException {
        // TODO 自动生成的方法存根
    }
}

nginx CORS配置

ocation / {
    set $flag 0;
    if ($http_origin = '')
    {
        set $flag "${flag}1";
    }
    if ($http_origin !~* ^(http|https)://www.abc.com$){
        set $flag "${flag}1";
    }
    if ($flag = "01"){
        return 403;
    }
    if ($http_origin ~* ^(http|https)://www.abc.com$) {
        add_header Access-Control-Allow-Origin $http_origin;
        add_header Access-Control-Allow-Methods GET,POST;
        add_header Access-Control-Allow-Credentials true;
        add_header Access-Control-Allow-Headers DNT,Keep-Alive,User-Agent,If-Modified-Since,Cache-Control,Content-Type;
   }
}