Secure Code Review #1: Basics (Getting Started)
2023-10-23 23:12:18 Author: infosecwriteups.com(查看原文) 阅读量:10 收藏

  1. XSS
  • PHP
<?php
// Assume $_GET['user_input'] is some input from the user
echo $_GET['user_input'];
?>
  • Java (using JSP)
<%@ page import="java.util.*" %>
<html>
<body>
<%= request.getParameter("user_input") %>
</body>
</html>
  • .NET
<%@ Page Language="C#" %>
<script runat="server">
protected void Page_Load(object sender, EventArgs e) {
Response.Write(Request.QueryString["user_input"]);
}
</script>
<html>
<body>
</body>
</html>
  • Node.js
const express = require('express');
const app = express();

app.set('view engine', 'ejs');

app.get('/', (req, res) => {
res.render('index', { user_input: req.query.user_input });
});

app.listen(3000, () => {
console.log('Server is running on port 3000');
});

<html>
<body>
<%- user_input %>
</body>
</html>

2. IDOR

  • PHP
<?php
// Assuming a request to get a user's profile information
$user_id = $_GET['user_id'];
$query = "SELECT * FROM users WHERE id = '$user_id'";
$result = mysqli_query($conn, $query);
$row = mysqli_fetch_assoc($result);
echo "User Profile: " . $row['profile'];
?>
  • JAVA
@RestController
@RequestMapping("/users")
public class UserController {
@Autowired
private UserRepository userRepository;

@GetMapping("/{id}")
public User getUser(@PathVariable Long id) {
return userRepository.findById(id).orElse(null);
}
}

  • .NET
[HttpGet("{id}")]
public async Task<IActionResult> GetUser(int id)
{
var user = await _context.Users.FindAsync(id);
if (user == null)
{
return NotFound();
}
return Ok(user);
}
  • Node.js
const express = require('express');
const app = express();
const users = require('./userModel');

app.get('/users/:id', (req, res) => {
const userId = req.params.id;
users.findById(userId, (err, user) => {
if (err) {
return res.status(500).send(err);
}
res.json(user);
});
});

app.listen(3000, () => {
console.log('Server is running on port 3000');
});

3. RCE

  1. Remote Code Execution (RCE) in PHP:
  • Unsafe use of eval() or system() functions with user-controlled input.

2. RCE in Java:

  • Misconfigurations or insecure deserialization with user-controlled input using libraries like Apache Commons Collections.

3. RCE in .NET:

  • Insecure use of System.Reflection or deserialization vulnerabilities with user-controlled input.

4. RCE in Node.js:

  • Misusing the eval() function or executing shell commands with user-controlled input using child_process.exec().

文章来源: https://infosecwriteups.com/secure-code-review-1-basics-getting-started-04e1e83e0050?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh