sql注入关键字
1
2
3
4
5
6
7
8
9
10
11
| Statement
createStatement
like '%${
in(${
select
update
insert
statement、select、update、delete
mybatis:${}、$param$、select、update、delete
|
跨站脚本测试要点
是否存在全局XSS过滤器,过滤规则是否符合安全要求
输出时是否进行编码(HTML、JS 等)(JSTL 标签中的<c:out 标签默认是对输出字符串进行 html 编码的)
前端是否采用了 Angularjs、React、vue.js 等具有 XSS 防护功能的前端框架且参数输出点在框架防护范围内
富文本编辑器提交参数接口是否进行了XSS过滤防护
命令注入
1
2
3
| Runtime.getRuntime().exec()
ProcessBuilder.start()
GroovyShell.evaluate()
|
XXE外部实体漏洞
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| javax.xml.parsers.DocumentBuilder
javax.xml.stream.XMLStreamReader
org.jdom.input.SAXBuilder
org.jdom2.input.SAXBuilder
javax.xml.parsers.SAXParser
org.dom4j.io.SAXReader
org.xml.sax.XMLReader
javax.xml.transform.sax.SAXSource
javax.xml.transform.TransformerFactory
javax.xml.transform.sax.SAXTransformerFactory
javax.xml.validation.SchemaFactory
javax.xml.bind.Unmarshaller
javax.xml.xpath.XpathExpression
DocumentBuilder
DocumentHelper.parseText
|
服务端请求伪造
1
2
3
4
5
6
7
8
9
| HttpClient.execute
HttpClient.executeMethod
HttpURLConnection.connect
HttpURLConnection.getInputStream
URL.openStream
Socket
URL
ImageIO
HttpURLConnection
|
文件上传关键字
org.apache.commons.fileupload
java.io.File
MultipartFile
RequestMethod
MultipartHttpServletRequest
CommonsMutipartResolver
jsp前后端交互功能代码
1
2
3
4
5
6
7
8
9
10
11
12
| <%=
${
<c:if
<c:forEach
ModelAndView
ModelMap
Model
request.getParameter
request.setAttribute
response.getWriter().print()
response.getWriter().writer()
|
目录穿越
java.io.File 文件读取且路径可控
根据经验判断Paths path System.getProperty(“user.dir”)
路由path/* file*
url跳转
redirect
sendRedirect
ModelAndView
Location
addAttribute
Author:
tea9
Permalink:
http://tea9.github.io/post/4270118160.html
License:
Copyright (c) 2017-2025 CC-BY-NC-4.0 LICENSE
Slogan:
Do you believe in DESTINY?