Secure Code Review #1: Basics (Getting Started)
2023-10-23 23:12:18 Author: infosecwriteups.com(查看原文) 阅读量:10 收藏
  1. XSS
  • PHP
<?php
// Assume $_GET['user_input'] is some input from the user
echo $_GET['user_input'];
?>
  • Java (using JSP)
<%@ page import="java.util.*" %>
<html>
  <body>
    <%= request.getParameter("user_input") %>
  </body>
</html>
  • .NET
<%@ Page Language="C#" %>
<script runat="server">
  protected void Page_Load(object sender, EventArgs e) {
    Response.Write(Request.QueryString["user_input"]);
  }
</script>
<html>
  <body>
  </body>
</html>
  • Node.js
const express = require('express');
const app = express();
app.set('view engine', 'ejs');
app.get('/', (req, res) => {
  res.render('index', { user_input: req.query.user_input });
});
app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
<html>
  <body>
    <%- user_input %>
  </body>
</html>

2. IDOR

  • PHP
<?php
// Assuming a request to get a user's profile information
$user_id = $_GET['user_id'];
$query = "SELECT * FROM users WHERE id = '$user_id'";
$result = mysqli_query($conn, $query);
$row = mysqli_fetch_assoc($result);
echo "User Profile: " . $row['profile'];
?>
  • JAVA
@RestController
@RequestMapping("/users")
public class UserController {
    @Autowired
    private UserRepository userRepository;
    @GetMapping("/{id}")
    public User getUser(@PathVariable Long id) {
        return userRepository.findById(id).orElse(null);
    }
}
  • .NET
[HttpGet("{id}")]
public async Task<IActionResult> GetUser(int id)
{
    var user = await _context.Users.FindAsync(id);
    if (user == null)
    {
        return NotFound();
    }
    return Ok(user);
}
  • Node.js
const express = require('express');
const app = express();
const users = require('./userModel');
app.get('/users/:id', (req, res) => {
    const userId = req.params.id;
    users.findById(userId, (err, user) => {
        if (err) {
            return res.status(500).send(err);
        }
        res.json(user);
    });
});
app.listen(3000, () => {
    console.log('Server is running on port 3000');
});

3. RCE

  1. Remote Code Execution (RCE) in PHP:
  • Unsafe use of eval() or system() functions with user-controlled input.

2. RCE in Java:

  • Misconfigurations or insecure deserialization with user-controlled input using libraries like Apache Commons Collections.

3. RCE in .NET:

  • Insecure use of System.Reflection or deserialization vulnerabilities with user-controlled input.

4. RCE in Node.js:

  • Misusing the eval() function or executing shell commands with user-controlled input using child_process.exec().

文章来源: https://infosecwriteups.com/secure-code-review-1-basics-getting-started-04e1e83e0050?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh