简体中文(ZH-CN) English(EN) 繁体中文(ZH-TW) 日本語(JA) 한국어(KO) Melayu(MS) Français(FR) Deutsch(DE)
Home> 类库下载> java类库> body text

[Java] System vulnerability: Precautions for user operations after logging in

高洛峰
Release: 2016-10-13 12:50:53
Original
1616 people have browsed it

Project background:

SpringMVC + Mybatis + MySql database (javaWeb project development)

Related modules: login, personal details modification, order details query

Related vulnerability introduction:

 1. Login verification code: Login verification The code must be verified in the background. If the verification code is only verified in the front desk but not verified in the background, it may happen that after the verification code is verified for the first time, tools are used to bypass the verification code for brute force cracking;

  2. Interceptor: To verify After logging in, the interface name for personal information operations must be intercepted using /user or /admin. If the user is not logged in, it will automatically jump to the login page;

  3. Modification of personal details: The user's information must be stored in the session. , such as the user's id. When modifying personal information in this way, if it is a password-free interface (that is, no password is required to modify information), when modifying account information, be sure not to directly pass the user's id as a unique identifier. Use the user's When providing critical information, you can obtain the information of the currently logged-in user from the session to prevent a user with account 3000001 from modifying the personal information of a user with account 3000002 after logging in;

  4. Order details interface: If you are querying the user's order details, If you query only through the order ID, even if /user is added to the interface name and users who are not logged in are intercepted, it is possible that other users can query the details of orders other than their own after logging in. In this case, before querying the order details, you must verify that the order is the personal order of the currently logged in user, that is, verify that the ID in the session is consistent with the ID of the creator of the order; to prevent information leakage;

(Note: The above vulnerabilities have actually happened. I am posting this in the hope that other newbies will learn from it and also hope to share with more people the problems encountered during development)


Related labels:
【Java】系统漏洞:关于用户登录后操作的注意事项
source:php.cn
Previous article:Quick Sort (QuickSort)-Java implementation Next article:Java and regular expressions
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues
function_exists() cannot determine the custom function Function test () {return true;} if (function_exists ('test')) {echo "test is function...
From 2024-04-29 11:01:01
0
2
1003
How to display the mobile version of Google Chrome Hello teacher, how can I change Google Chrome into a mobile version?
From 2024-04-23 00:22:19
0
9
1075
The child window operates the parent window, but the output does not respond. The first two sentences are executable, but the last sentence cannot be implemented.
From 2024-04-19 15:37:47
0
1
974
There is no output in the parent window document.onclick = function(){ window.opener.document.write('I am the output of the child ...
From 2024-04-18 23:52:34
0
1
838
Where is the courseware about CSS mind mapping? Courseware
From 2024-04-16 10:10:18
0
0
912
Related Topics
More>
Popular Recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!