CuteKe website development and security 2-Record URL and URL does not match

    My CuteKe website has been online for a while, and I also did access logs before, and found that the logs are still not conducive to observation, so I changed its access records into a database. But in the past few days, I discovered a problem when recording the URL.

1. Record URL

    Let's first look at how to record URL and IP address:

1.1 Access Record Model

    Because we want to digitize the access record, we have to create the access record entity class:, the VistorLogcode is as follows:

@Entity
public class VisitorLog {
    private static final long serialVersionUID = 1L;

    @Id // 主键
    @GeneratedValue(strategy = GenerationType.IDENTITY) // 自增长策略
    private Long id; // 用户的唯一标识


    @NotEmpty(message = "访问地址不能为空")
    @Column(nullable = false)
    private String url;

    @NotEmpty(message = "访问方法不能为空")
    @Column(nullable = false)
    private String httpMethod;
    
    @NotEmpty(message = "IP地址不能为空")
    @Column(nullable = false)
    private String ip;


    @NotEmpty(message = "IP地址映射的真实不能为空")
    @Column(nullable = false)
    private String trueAddress;

    @Column(nullable = false) // 映射为字段，值不能为空
    @org.hibernate.annotations.CreationTimestamp  // 由数据库自动创建时间
    private Timestamp visitTime;
    
    
    @NotEmpty(message = "后台访问方法不能为空")
    @Column(nullable = false)
    private String classMethod;

    @NotEmpty(message = "访问方法参数")
    @Column(nullable = false)
    private String getClassMethodArgs;

    protected  VisitorLog(){
        
    }

    public VisitorLog(String url, String httpMethod, String ip, String trueAddress,String classMethod, String getClassMethodArgs) {
        this.url = url;
        this.httpMethod = httpMethod;
        this.ip = ip;
        this.trueAddress= trueAddress;
        this.classMethod = classMethod;
        this.getClassMethodArgs = getClassMethodArgs;
    }

    public Long getId() {
        return id;
    }

    public void setId(Long id) {
        this.id = id;
    }

    public String getUrl() {
        return url;
    }

    public void setUrl(String url) {
        this.url = url;
    }

    public String getHttpMethod() {
        return httpMethod;
    }

    public void setHttpMethod(String httpMethod) {
        this.httpMethod = httpMethod;
    }

    public String getIp() {
        return ip;
    }

    public void setIp(String ip) {
        this.ip = ip;
    }

    public String getClassMethod() {
        return classMethod;
    }

    public void setClassMethod(String classMethod) {
        this.classMethod = classMethod;
    }

    public String getGetClassMethodArgs() {
        return getClassMethodArgs;
    }

    public void setGetClassMethodArgs(String getClassMethodArgs) {
        this.getClassMethodArgs = getClassMethodArgs;
    }
}

1.2 Using Spring AOP

    After adding spring-boot-starter-aopdependencies in gradle , we can design like this:

1. Entry point : each Controllermethod of each request method

    @Pointcut("execution(public * com.cuteke.spring.boot.blog.controlller.*.*(..))")
    public void log() {
    };

2. Notification : Here I choose 前置通知, you can also choose other notifications

 @Before("log()")
    public void doBefore(JoinPoint joinPoint) {
    ....
    }

3. Get HttpServletRequest : We get it through the Request contextHttpServertRequest

ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
        HttpServletRequest request = attributes.getRequest();

4. Get each attribute : Once you get it, HttpServertRequestyou can get each attribute by calling its method VisitLog:

String url=new String(request.getRequestURL());
String method=request.getMethod();
String ip=IpUtil.getClinetIpByReq(request);
String class_method=joinPoint.getSignature().getDeclaringTypeName() + "." + joinPoint.getSignature().getName();
String args= Arrays.toString(joinPoint.getArgs());
logger.info("url={} method={} ip={} class_method={} args={}", url, method
                , ip, class_method
                , joinPoint.getArgs());
VisitorLog visitorLog=new VisitorLog(url,method,ip,IpUtil.getAddressByIP(ip),class_method,args);
vistorLogService.saveVistorLog(visitorLog);

IpUtilIt is a tool class for processing ip. The core idea is achieved through getRemoteAddr()methods and filtering out proxy ip. We will mention it in the remaining chapters. Baidu can also find it easily

2. URL does not match

    The website has been online for a few weeks, and I found a very strange record in the data, as shown in Figure 1 below:

Figure 1. The row URL in the database does not match

    I have drawn out the weird URLs with red lines, and have I found them? These URLs that cause trouble are all foreign, and foreign countries still like to make trouble!

2.1 Do you use a proxy?

    There are two types of agents:

1. Forward proxy: The client needs to configure a proxy server, and the proxy server will visit you instead, so the URL will generally not change
2. Reverse proxy: The client does not know the existence of the proxy. When accessing the URL of the URL, it will pass through the reverse proxy server, and the reverse proxy server will turn to the corresponding server to access. It is generally used for
   load balancing, and the URL will generally not change.

    In fact, this situation can happen to me when using a proxy, because the existence of the server, modifying the URL or other operations is not known to the user. We know that the URL is used to resolve the ip address, as long as I can be identified in this situation abroad The server IP address of, no matter whether the URL is my website URL or not, you can visit my website.

2.2 Host practice

    As mentioned earlier, as long as the IP address of my server is resolved, no matter whether the URL is correct or not, we will practice on this machine. We know that there is a HOST file in C:\Windows\System32\drivers\etc. We only need to change the IP corresponding to the URL. The analysis can be completed. code show as below:

# localhost name resolution is handled within DNS itself.
127.0.0.1 localhost
#	::1             localhost
127.0.0.1 www.cuteke.cn

    Here I resolve the domain name of my website to the local address. I also open my website on this computer, but the content inside is different. I typed it in the browser www.cuteke.cnand found the page as shown below:

Figure 1. Local access to CuteKe website

    This page is the page displayed by the local server, because the top article on this machine is different from the top article on the public website. At the same time, we look at the access records of the local database:

Figure 2. Local database access record

    In the last two lines, we can find that the URL is not localhostbut www.cuteke.cn, but also verifies our thinking.

After modifying the HOSTS file, if the accessed URL is still resolved to the original address, then remember to clear the system DNS and browser DNS cache

Modifying the HOSTS file is only one of the possibilities, and there is a great possibility that is the Http Host header attack. We will describe its principle and specific defense measures in the next chapter.

Reference

[1] Spring Boot Advanced Web Advanced
[2] Forward proxy and reverse proxy [Summary]