Java Sec Code Versions Save

Java web common vulnerabilities and security code which is base on springboot and spring security

v2.0.0

4 years ago
  • Added Hook Socket function to solve SSRF DNS Rebinding bypass;
  • Fixed the bug that SSRF solution can cause DOS problem;
  • Fixed the bug that SSRF's internal network blacklist IP can be bypassed by 127.0.0.1;
  • Add the function of package uploading to dockerhub;
  • Added RCE vulnerability caused by xstream;
  • Added code injection vulnerability;
  • Added XXE vulnerability caused by XMLReader;
  • Added XXE vulnerability caused by DocumentHelper;
  • Added XXE vulnerability caused by poi-ooxml and xlsx-streamer;
  • Added JSON hijacking vulnerability caused by MappingJackson2JsonView;
  • Added Cors vulnerability code, and provide solution for verifying first-level domain names;
  • Added SSRF vulnerability caused by IOUtils and Jsoup;
  • Added Mybatis SQL injection vulnerability;
  • Added the security verification function of Content-Type for file upload;
  • Added the function of jumping to the page before login after login;
  • Added the security verification function of Ojbect automatically transferring to Jsonp;
  • Add relevant code for obtaining cookies;
  • Added getRequestURI () to cause permission bypass vulnerability;
  • Added storage XSS vulnerability;
  • The security configuration of SSRF and URL is changed from code to XML;
  • 新增Hook Socket功能解决SSRF DNS Rebinding绕过;
  • 修复SSRF解决方案可导致DOS问题的bug;
  • 修复SSRF的内网黑名单IP可被127.0.0.1绕过的bug;
  • 新增应用打包上传到dockerhub功能;
  • 新增xstream导致的RCE漏洞;
  • 新增代码注入漏洞;
  • 新增XMLReader导致的XXE漏洞;
  • 新增DocumentHelper导致的XXE漏洞;
  • 新增poi-ooxmlxlsx-streamer导致的XXE漏洞;
  • 新增MappingJackson2JsonView导致的JSON劫持漏洞;
  • 新增多处造成Cors的漏洞代码,并提供校验一级域名(默认只支持多级域名)防御方案;
  • 新增IOUtilsJsoup导致的SSRF漏洞;
  • 新增Mybatis SQL注入漏洞;
  • 新增文件上传对Content-Type的安全校验功能;
  • 新增页面登录后跳转到登录前的页面功能;
  • 新增Ojbect自动转Jsonp的安全校验功能;
  • 新增Cookie获取的相关方式代码;
  • 新增getRequestURI()导致权限绕过漏洞;
  • 新增存储型XSS漏洞;
  • SSRF和URL的安全配置从代码里变成XML里获取;

v1.0.1

4 years ago
  • Add login authentication system using spring-security.
  • Add global CSRF and Referer check variables and switch in application.properties.
  • Add pathTravelsal vulnerability and security code.
  • Add Sql Injection using mybatis.
  • Add rememberMe deserialize vulnerability and override resolveClass method to prevent deserialize.
  • Add SSTI vulnerability of velocity.
  • Add json convert to jsonp function.
  • Add httpclient SSRF vulnerability code.
  • Add SSRF checker.
  • 新增登录系统通过spring-security
  • 添加全局的CSRF和Referer检测的开关和变量。
  • 新增路径遍历漏洞和安全代码;
  • 新增使用mybatis的SQL注入;
  • 新增rememberMe的反序列化漏洞和利用覆盖resolveClass方法来防御反序列化;
  • 新增velocity导致的SSTI漏洞;
  • 新增JSON自动转换为JSONP功能;
  • 新增老版本httpclient的SSRF漏洞;
  • 新增SSRF安全Checker类;

v1.0.0

4 years ago

java_sec_code_v20190621