背景
在对子公司送检的APP渗透测试中,经过反编译后,发现APP在连接websocket服务器接收消息时使用用户名,密码的形式进行认证。并且将明文的用户名,密码信息写在APP代码中。如下图所示 
修复建议
ws协议认证建议通过生成token的机制验证,如:
@EnableWebSocketMessageBroker
public class WSContraller extends AbstractWebSocketMessageBrokerConfigurer{
@Override
public void registerStompEndpoints(StompEndpointRegistry registry) {
registry.addEndpoint("/endPoint").addInterceptors(
new HandshakeInterceptor(){
@Override
public void afterHandshake(ServerHttpRequest request,ServerHttpResponse response, WebSocketHandler handler,Exception e) {}
@Override
public boolean beforeHandshake(ServerHttpRequest request,ServerHttpResponse response, WebSocketHandler handler,
Map<String, Object> map) throws Exception {
ServletServerHttpRequest req = (ServletServerHttpRequest) request;
String token = req.getServletRequest().getParameter("token");
//检查token是否正确
boolean isPass = CommonUtil.checkToken(token);
if(isPass){
//业务操作
//......
}
return false;
}}
).setHandshakeHandler(
new DefaultHandshakeHandler(){
@Override
protected Principal determineUser(ServerHttpRequest request, WebSocketHandler wsHandler, Map<String, Object> attributes) {
//设置认证用户
return (Principal)attributes.get("user");
}
}
).setAllowedOrigins("*").withSockJS();
}
}
注:本文内容来自互联网,旨在为开发者提供分享、交流的平台。如有涉及文章版权等事宜,请你联系站长进行处理。