Project background:
SpringMVC + Mybatis + MySql database (javaWeb project development)
Related modules: login, personal details modification, order details query
Related vulnerability introduction:
1. Login verification code: Login verification The code must be verified in the background. If the verification code is only verified in the front desk but not verified in the background, it may happen that after the verification code is verified for the first time, tools are used to bypass the verification code for brute force cracking;
2. Interceptor: To verify After logging in, the interface name for personal information operations must be intercepted using /user or /admin. If the user is not logged in, it will automatically jump to the login page;
3. Modification of personal details: The user's information must be stored in the session. , such as the user's id. When modifying personal information in this way, if it is a password-free interface (that is, no password is required to modify information), when modifying account information, be sure not to directly pass the user's id as a unique identifier. Use the user's When providing critical information, you can obtain the information of the currently logged-in user from the session to prevent a user with account 3000001 from modifying the personal information of a user with account 3000002 after logging in;
4. Order details interface: If you are querying the user's order details, If you query only through the order ID, even if /user is added to the interface name and users who are not logged in are intercepted, it is possible that other users can query the details of orders other than their own after logging in. In this case, before querying the order details, you must verify that the order is the personal order of the currently logged in user, that is, verify that the ID in the session is consistent with the ID of the creator of the order; to prevent information leakage;
(Note: The above vulnerabilities have actually happened. I am posting this in the hope that other newbies will learn from it and also hope to share with more people the problems encountered during development)