JoyChou93/trident
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10 Commits 1 Branch 0 Tags
349685fb86fb4a5ecc0dec67c18ce0d799289414
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
JoyChou 349685fb86 fix checkSSRF
2017-09-05 21:12:38 +08:00
.idea
fix checkSSRF
2017-09-05 21:12:38 +08:00
src/main/java
fix checkSSRF
2017-09-05 21:12:38 +08:00
target/classes
fix checkSSRF
2017-09-05 21:12:38 +08:00
.gitattributes
Initial commit
2017-09-05 17:08:44 +08:00
LICENSE
Initial commit
2017-09-05 17:08:44 +08:00
pom.xml
add checkUrl
2017-09-05 18:07:51 +08:00
README.md
fix checkSSRF
2017-09-05 21:12:38 +08:00
trident.iml
add checkUrl
2017-09-05 18:07:51 +08:00

README.md

Trident (三叉戟)

Java Code Security Component JAVA代码安全组件

URL白名单验证

验证逻辑

  1. 取URL一级域名
  2. 判断是否在域名白名单列表内

验证代码

合法URL返回true非法URL返回false

security checkUrl = new security();
String[] urlWList = {"joychou.com", "joychou.me"};
Boolean ret = checkUrl.checkUrlWlist("http://test.joychou.me", urlWList);
System.out.println(ret);

SSRF

JAVA默认dns请求会有30s的缓存所以默认不存在dns rebind问题。除非重新设置ttl为0。

验证逻辑

  1. 取URL的IP
  2. 判断IP是否是内网IP
  3. 判断是否是内网IP
  4. 请求URL
  5. 如果有跳转取出跳转URL执行1

验证代码

如果是内网IP返回false表示checkSSRF不通过。 否则返回true。即合法返回true。 URL只支持HTTP协议。

ret = checkUrl.checkSSRF("http://127.0.0.1");
System.out.println(ret);
Description
No description provided
Readme 96 KiB
Languages
Java 100%