Java Web应用权限绕过漏洞分析与防护指南<\/h1>

0x00 前言<\/h2>

背景概述<\/h3>
在国内Web项目中，开发者常使用过滤器（Filter）或拦截器（Interceptor）等自定义方法实现统一鉴权。然而，由于对请求路径获取API的错误使用或混用，导致权限校验存在安全盲点。攻击者可利用路径解析差异构造特殊请求绕过鉴权机制。<\/p>

漏洞影响范围<\/h3>
影响组件：某微、某凌、某远等主流OA\/CMS系统<\/li>
技术根源：Spring框架路径解析特性与自定义鉴权逻辑不匹配<\/li>
实战价值：攻防演练中高频出现的高危漏洞类型<\/li> <\/ul>
0x01 常见鉴权方案分析<\/h2>

Java鉴权方案对比表<\/h3>
框架\/方式<\/th> 特性<\/th> 基于什么鉴权<\/th> 适用场景<\/th> <\/tr> <\/thead>
自定义Servlet Filter<\/td> 全局请求入口、可拦截静态资源<\/td> Session\/Token（自解析）<\/td> 自定义认证逻辑、中央鉴权<\/td> <\/tr>
Spring HandlerInterceptor<\/td> 控制器级拦截、路由粒度<\/td> 依赖上游认证<\/td> URL级鉴权、审计<\/td> <\/tr>
AOP自定义方法拦截<\/td> 业务方法最靠近，支持复杂上下文<\/td> 基于ThreadLocal\/Token的主体信息<\/td> 细粒度业务授权<\/td> <\/tr>
Spring Security<\/td> 完整过滤器链、方法级注解<\/td> Session\/JWT\/OAuth2 tokens<\/td> 现代Spring Boot应用<\/td> <\/tr>
Apache Shiro<\/td>
简洁Subject\/Realm\/Session<\/td>
Session\/RememberMe\/Token<\/td>
轻量应用、非Spring项目<\/td> <\/tr> <\/tbody> <\/table>
自定义鉴权实现详解<\/h3>

1. Servlet Filter实现<\/h4>
配置类：<\/strong><\/p>
@Configuration<\/span>
<\/span><\/span>public<\/span> class<\/span> WebConfig<\/span> implements<\/span> WebMvcConfigurer {<\/span>
<\/span><\/span>    @Bean<\/span>
<\/span><\/span>    public<\/span> FilterRegistrationBean<<\/span>VulnerableAuthFilter><\/span> vulnerableAuthFilter<\/span>()<\/span> {<\/span>
<\/span><\/span>        FilterRegistrationBean<<\/span>VulnerableAuthFilter><\/span> registrationBean =<\/span> new<\/span> FilterRegistrationBean<>();<\/span>
<\/span><\/span>        registrationBean.<\/span>setFilter<\/span>(<\/span>new<\/span> VulnerableAuthFilter());<\/span>
<\/span><\/span>        registrationBean.<\/span>addUrlPatterns<\/span>(<\/span>"\/admin\/*"<\/span>);<\/span>
<\/span><\/span>        return<\/span> registrationBean;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>过滤器逻辑：<\/strong><\/p>
@WebFilter<\/span>(<\/span>"\/*"<\/span>)<\/span>
<\/span><\/span>public<\/span> class<\/span> AuthFilter<\/span> implements<\/span> Filter {<\/span>
<\/span><\/span>    public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest req,<\/span> ServletResponse res,<\/span> FilterChain chain)<\/span> throws<\/span> IOException,<\/span> ServletException {<\/span>
<\/span><\/span>        HttpServletRequest httpRequest =<\/span> (<\/span>HttpServletRequest)<\/span> request;<\/span>
<\/span><\/span>        HttpServletResponse httpResponse =<\/span> (<\/span>HttpServletResponse)<\/span> response;<\/span>
<\/span><\/span>        
<\/span><\/span>        String authHeader =<\/span> httpRequest.<\/span>getHeader<\/span>(<\/span>"Authorization"<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>authHeader ==<\/span> null<\/span> ||<\/span> !<\/span>authHeader.<\/span>equals<\/span>(<\/span>"BypassVulnDemo"<\/span>))<\/span> {<\/span>
<\/span><\/span>            httpResponse.<\/span>setStatus<\/span>(<\/span>HttpServletResponse.<\/span>SC_UNAUTHORIZED<\/span>);<\/span>
<\/span><\/span>            httpResponse.<\/span>getWriter<\/span>().<\/span>write<\/span>(<\/span>"Filter: Authentication required"<\/span>);<\/span>
<\/span><\/span>            return<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        chain.<\/span>doFilter<\/span>(<\/span>request,<\/span> response);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. Spring MVC拦截器实现<\/h4>
配置类：<\/strong><\/p>
@Configuration<\/span>
<\/span><\/span>public<\/span> class<\/span> WebConfig<\/span> implements<\/span> WebMvcConfigurer {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> void<\/span> addInterceptors<\/span>(<\/span>InterceptorRegistry registry)<\/span> {<\/span>
<\/span><\/span>        registry.<\/span>addInterceptor<\/span>(<\/span>new<\/span> VulnerableInterceptor())<\/span>
<\/span><\/span>                .<\/span>addPathPatterns<\/span>(<\/span>"\/secure\/**"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>拦截器逻辑：<\/strong><\/p>
public<\/span> class<\/span> AuthzInterceptor<\/span> implements<\/span> HandlerInterceptor {<\/span>
<\/span><\/span>    public<\/span> boolean<\/span> preHandle<\/span>(<\/span>HttpServletRequest req,<\/span> HttpServletResponse res,<\/span> Object handler)<\/span> {<\/span>
<\/span><\/span>        String authHeader =<\/span> request.<\/span>getHeader<\/span>(<\/span>"Authorization"<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>authHeader ==<\/span> null<\/span> ||<\/span> !<\/span>authHeader.<\/span>equals<\/span>(<\/span>"BypassVulnDemo"<\/span>))<\/span> {<\/span>
<\/span><\/span>            response.<\/span>setStatus<\/span>(<\/span>HttpServletResponse.<\/span>SC_UNAUTHORIZED<\/span>);<\/span>
<\/span><\/span>            response.<\/span>getWriter<\/span>().<\/span>write<\/span>(<\/span>"Unauthorized: Authentication required"<\/span>);<\/span>
<\/span><\/span>            return<\/span> false<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> true<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. AOP切面实现<\/h4>
自定义注解：<\/strong><\/p>
@Target<\/span>(<\/span>ElementType.<\/span>METHOD<\/span>)<\/span>
<\/span><\/span>@Retention<\/span>(<\/span>RetentionPolicy.<\/span>RUNTIME<\/span>)<\/span>
<\/span><\/span>public<\/span> @interface<\/span> RequireAuth {<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>切面逻辑：<\/strong><\/p>
@Aspect<\/span>
<\/span><\/span>@Component<\/span>
<\/span><\/span>public<\/span> class<\/span> AopConfig<\/span> {<\/span>
<\/span><\/span>    @Around<\/span>(<\/span>"@annotation(com.bypassvuln.config.RequireAuth)"<\/span>)<\/span>
<\/span><\/span>    public<\/span> Object checkAuth<\/span>(<\/span>ProceedingJoinPoint joinPoint)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>        HttpServletRequest request =<\/span> ((<\/span>ServletRequestAttributes)<\/span> RequestContextHolder.<\/span>currentRequestAttributes<\/span>()).<\/span>getRequest<\/span>();<\/span>
<\/span><\/span>        HttpServletResponse response =<\/span> ((<\/span>ServletRequestAttributes)<\/span> RequestContextHolder.<\/span>currentRequestAttributes<\/span>()).<\/span>getResponse<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        String authHeader =<\/span> request.<\/span>getHeader<\/span>(<\/span>"Authorization"<\/span>);<\/span>
<\/span><\/span>        if<\/span> (<\/span>authHeader ==<\/span> null<\/span> ||<\/span> !<\/span>authHeader.<\/span>equals<\/span>(<\/span>"BypassVulnDemo"<\/span>))<\/span> {<\/span>
<\/span><\/span>            response.<\/span>setStatus<\/span>(<\/span>HttpServletResponse.<\/span>SC_UNAUTHORIZED<\/span>);<\/span>
<\/span><\/span>            response.<\/span>getWriter<\/span>().<\/span>write<\/span>(<\/span>"Unauthorized: Authentication required"<\/span>);<\/span>
<\/span><\/span>            return<\/span> null<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> joinPoint.<\/span>proceed<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x02 请求路径获取方法分析<\/h2>
路径获取API对比表（Spring-Web 5.3.20）<\/h3>



类别<\/th>
方法<\/th>
描述<\/th>
安全特性<\/th>
<\/tr>
<\/thead>


HttpServletRequest<\/td>
getRequestURL()<\/td>
返回完整URL<\/td>
原始输入，无处理<\/td>
<\/tr>

<\/td>
getRequestURI()<\/td>
返回协议名到查询字符串间部分<\/td>
原始输入，无处理<\/td>
<\/tr>

<\/td>
getServletPath()<\/td>
返回servlet路径<\/td>
删除;后内容、URL解码、解析..\/<\/td>
<\/tr>

<\/td>
getPathInfo()<\/td>
返回额外路径信息<\/td>
一般为null<\/td>
<\/tr>

Spring HandlerMapping<\/td>
BEST_MATCHING_PATTERN_ATTRIBUTE<\/td>
返回Controller配置路径<\/td>
强关联匹配资源<\/td>
<\/tr>

<\/td>
PATH_WITHIN_HANDLER_MAPPING_ATTRIBUTE<\/td>
处理器映射内路径<\/td>
删除;后内容，不解码<\/td>
<\/tr>

Spring UrlPathHelper<\/td>
getPathWithinApplication()<\/td>
应用内路径<\/td>
删除;后内容、URL解码<\/td>
<\/tr>
<\/tbody>
<\/table>
路径解析示例<\/h3>
请求：http:\/\/localhost:18083\/app\/path-demo\/show\/\/\/%2e%2e\/..\/admin;.js<\/code><\/p>
解析结果：<\/p>
{
<\/span><\/span>    "getRequestURL()"<\/span>: "http:\/\/localhost:18083\/app\/path-demo\/show\/\/\/%2e%2e\/..\/admin\/dashboard;.js"<\/span>,
<\/span><\/span>    "getRequestURI()"<\/span>: "\/app\/path-demo\/show\/\/\/%2e%2e\/..\/admin\/dashboard;.js"<\/span>, 
<\/span><\/span>    "getServletPath()"<\/span>: "\/admin\/dashboard"<\/span>,
<\/span><\/span>    "HandlerMapping.BEST_MATCHING_PATTERN_ATTRIBUTE"<\/span>: "\/path-demo\/show\/**"<\/span>,
<\/span><\/span>    "HandlerMapping.PATH_WITHIN_HANDLER_MAPPING_ATTRIBUTE"<\/span>: "\/path-demo\/show\/\/\/%2e%2e\/..\/admin\/dashboard"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>0x03 权限绕过技术深度分析<\/h2>
场景一：startsWith匹配绕过<\/h3>
漏洞代码：<\/strong><\/p>
public<\/span> boolean<\/span> preHandle<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response,<\/span> Object handler)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    String requestUri =<\/span> request.<\/span>getRequestURI<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 漏洞：使用startsWith匹配，可被..\/绕过
<\/span><\/span><\/span><\/span>    if<\/span> (<\/span>requestUri.<\/span>startsWith<\/span>(<\/span>"\/swagger"<\/span>))<\/span> {<\/span>
<\/span><\/span>        return<\/span> true<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ 鉴权逻辑...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过Payload：<\/strong><\/p>

\/swagger\/..\/app\/secure\/data<\/code><\/li>
\/swagger\/..;666666\/app\/secure\/data<\/code><\/li>
\/swagger\/\/\/\/\/%2e%2e;666666\/\/\/\/\/%61%70%70\/secure\/data<\/code><\/li>
<\/ul>
技术原理：<\/strong><\/p>

getRequestURI()<\/code>返回原始未规范化路径<\/li>
Tomcat的CoyoteRequest<\/code>保存原始请求对象<\/li>
Spring MVC在HandlerMapping<\/code>阶段进行路径规范化<\/li>
上下文路径配置影响路径解析结果<\/li>
<\/ul>
场景二：endsWith匹配绕过<\/h3>
漏洞代码：<\/strong><\/p>
public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response,<\/span> FilterChain chain)<\/span> throws<\/span> IOException,<\/span> ServletException {<\/span>
<\/span><\/span>    String requestUrl =<\/span> httpRequest.<\/span>getRequestURL<\/span>().<\/span>toString<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 漏洞：使用endsWith匹配，可被;.js绕过
<\/span><\/span><\/span><\/span>    if<\/span> (<\/span>requestUrl.<\/span>endsWith<\/span>(<\/span>".js"<\/span>))<\/span> {<\/span>
<\/span><\/span>        chain.<\/span>doFilter<\/span>(<\/span>request,<\/span> response);<\/span>
<\/span><\/span>        return<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ 鉴权逻辑...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过Payload：<\/strong><\/p>

\/app\/admin\/dashboard;.js<\/code><\/li>
\/app\/admin;666666\/dashboard;6666666;;;.js<\/code><\/li>
<\/ul>
技术原理：<\/strong><\/p>

分号;<\/code>标识矩阵参数，Spring会删除;<\/code>至\/<\/code>间内容<\/li>
无\/<\/code>时删除;<\/code>后所有内容<\/li>
规范化后仍能匹配到目标Controller<\/li>
<\/ul>
场景三：contains匹配绕过<\/h3>
漏洞代码：<\/strong><\/p>
@Around<\/span>(<\/span>"@annotation(com.bypassvuln.config.RequireAuth)"<\/span>)<\/span>
<\/span><\/span>public<\/span> Object checkAuth<\/span>(<\/span>ProceedingJoinPoint joinPoint)<\/span> throws<\/span> Throwable {<\/span>
<\/span><\/span>    String requestUri =<\/span> request.<\/span>getRequestURI<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 漏洞：使用contains匹配
<\/span><\/span><\/span><\/span>    if<\/span> (<\/span>requestUri.<\/span>contains<\/span>(<\/span>"swagger"<\/span>))<\/span> {<\/span>
<\/span><\/span>        return<\/span> joinPoint.<\/span>proceed<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ 鉴权逻辑...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过Payload：<\/strong><\/p>

\/swagger\/..\/app\/api\/sensitive<\/code><\/li>
\/app\/api\/sensitive;swagger<\/code><\/li>
\/app\/api;swagger\/sensitive<\/code><\/li>
<\/ul>
场景四：后缀匹配模式绕过（历史漏洞）<\/h3>
背景：<\/strong><\/p>

Spring 5.3之前默认开启useSuffixPatternMatch<\/code><\/li>
5.3开始默认关闭，需手动配置<\/li>
<\/ul>
配置开启：<\/strong><\/p>
@Override<\/span>
<\/span><\/span>public<\/span> void<\/span> configurePathMatch<\/span>(<\/span>PathMatchConfigurer configurer)<\/span> {<\/span>
<\/span><\/span>    configurer.<\/span>setUseSuffixPatternMatch<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过效果：<\/strong><\/p>

\/upload.swagger<\/code>等效于\/upload<\/code><\/li>
<\/ul>
场景五：强制性白名单绕过<\/h3>
漏洞代码：<\/strong><\/p>
public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response,<\/span> FilterChain chain)<\/span> throws<\/span> IOException,<\/span> ServletException {<\/span>
<\/span><\/span>    String requestUri =<\/span> httpRequest.<\/span>getRequestURI<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 漏洞：强制性检查.do\/.jsp后缀
<\/span><\/span><\/span><\/span>    if<\/span> (<\/span>requestUri.<\/span>endsWith<\/span>(<\/span>".do"<\/span>)<\/span> ||<\/span> requestUri.<\/span>endsWith<\/span>(<\/span>".jsp"<\/span>))<\/span> {<\/span>
<\/span><\/span>        \/\/ 执行鉴权
<\/span><\/span><\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        \/\/ 直接放行
<\/span><\/span><\/span><\/span>        chain.<\/span>doFilter<\/span>(<\/span>request,<\/span> response);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过Payload：<\/strong><\/p>

\/system\/dashboard.do\/<\/code>（结尾加\/）<\/li>
\/system\/dashboard.do;<\/code>（结尾加分号）<\/li>
<\/ul>
场景六：equals精确匹配绕过<\/h3>
漏洞代码：<\/strong><\/p>
String requestUri =<\/span> httpRequest.<\/span>getRequestURI<\/span>();<\/span>
<\/span><\/span>if<\/span> (<\/span>requestUri.<\/span>equals<\/span>(<\/span>"\/app\/system\/admin"<\/span>))<\/span> {<\/span>
<\/span><\/span>    \/\/ 执行鉴权
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过Payload：<\/strong><\/p>

URL编码：\/app\/system\/%61%64%6d%69%6e<\/code><\/li>
<\/ul>
Spring 5.3.20路径解析特性总结<\/h3>



特性<\/th>
context-path<\/th>
controller-path<\/th>
说明<\/th>
<\/tr>
<\/thead>


;<\/code>参数处理<\/td>
支持<\/td>
支持<\/td>
删除;至\/间内容<\/td>
<\/tr>

..\/<\/code>解析<\/td>
支持<\/td>
不支持<\/td>
需配置context-path<\/td>
<\/tr>

URL解码<\/td>
支持<\/td>
支持<\/td>
规范化阶段处理<\/td>
<\/tr>

多个\/<\/code>处理<\/td>
不支持<\/td>
不支持<\/td>
保持原样<\/td>
<\/tr>
<\/tbody>
<\/table>
0x04 安全防护机制<\/h2>
Spring Security StrictHttpFirewall<\/h3>
默认防护规则<\/h4>

HTTP方法检查<\/strong>：仅允许GET\/POST\/PUT\/PATCH\/DELETE\/HEAD\/OPTIONS<\/li>
URL阻止列表<\/strong>：

编码类禁止：%25<\/code>、%2e<\/code>、%2E<\/code><\/li>
字符类禁止：%<\/code>、\u2028<\/code>、\u2029<\/code>、;<\/code>、%2f<\/code>、\/\/<\/code>、\<\/code>、%00<\/code>等<\/li>
<\/ul>
<\/li>
路径规范化检查<\/strong>：检测..<\/code>、.<\/code>等非规范化路径<\/li>
非打印字符检测<\/strong>：拒绝包含非打印ASCII字符的请求<\/li>
<\/ol>
防护效果示例<\/h4>
引入依赖即可启用：<\/p>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.springframework.boot<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>spring-boot-starter-security<\/artifactId><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>自定义配置（不推荐生产环境）<\/h4>
@Bean<\/span>
<\/span><\/span>public<\/span> HttpFirewall relaxedFirewall<\/span>()<\/span> {<\/span>
<\/span><\/span>    StrictHttpFirewall firewall =<\/span> new<\/span> StrictHttpFirewall();<\/span>
<\/span><\/span>    firewall.<\/span>setAllowSemicolon<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    firewall.<\/span>setAllowUrlEncodedSlash<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    firewall.<\/span>setAllowUrlEncodedPeriod<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    return<\/span> firewall;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>安全开发建议<\/h3>
1. 使用一致的路径获取API<\/h4>

鉴权阶段使用HandlerMapping.PATH_WITHIN_HANDLER_MAPPING_ATTRIBUTE<\/code><\/li>
避免混用getRequestURI()<\/code>和getServletPath()<\/code><\/li>
<\/ul>
2. 路径规范化处理<\/h4>
private<\/span> String normalizePath<\/span>(<\/span>String path)<\/span> {<\/span>
<\/span><\/span>    return<\/span> UriUtils.<\/span>decode<\/span>(<\/span>path,<\/span> StandardCharsets.<\/span>UTF_8<\/span>)<\/span>
<\/span><\/span>                   .<\/span>replace<\/span>(<\/span>"\/\/"<\/span>,<\/span> "\/"<\/span>)<\/span>
<\/span><\/span>                   .<\/span>replace<\/span>(<\/span>"\/..\/"<\/span>,<\/span> "\/"<\/span>)<\/span>
<\/span><\/span>                   .<\/span>replace<\/span>(<\/span>"\/.\/"<\/span>,<\/span> "\/"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 使用Spring Security最佳实践<\/h4>

优先使用Spring Security而非自定义鉴权<\/li>
保持StrictHttpFirewall默认配置<\/li>
使用方法级注解@PreAuthorize<\/code>进行细粒度控制<\/li>
<\/ul>
4. 安全测试用例<\/h4>
@Test<\/span>
<\/span><\/span>public<\/span> void<\/span> testPathBypassVulnerabilities<\/span>()<\/span> {<\/span>
<\/span><\/span>    \/\/ 测试各种绕过Payload
<\/span><\/span><\/span><\/span>    String[]<\/span> testPaths =<\/span> {<\/span>
<\/span><\/span>        "\/admin\/..\/secure\/data"<\/span>,<\/span>
<\/span><\/span>        "\/api\/sensitive;swagger"<\/span>,<\/span>
<\/span><\/span>        "\/system\/dashboard.do\/"<\/span>,<\/span>
<\/span><\/span>        "\/app\/system\/%61%64%6d%69%6e"<\/span>
<\/span><\/span>    };<\/span>
<\/span><\/span>    
<\/span><\/span>    for<\/span> (<\/span>String path :<\/span> testPaths)<\/span> {<\/span>
<\/span><\/span>        mockMvc.<\/span>perform<\/span>(<\/span>get(<\/span>path))<\/span>
<\/span><\/span>               .<\/span>andExpect<\/span>(<\/span>status().<\/span>isForbidden<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞检测清单<\/h3>


代码审计重点<\/strong>：<\/p>

查找自定义Filter\/Interceptor中使用getRequestURI()<\/code>、startsWith()<\/code>、endsWith()<\/code>、contains()<\/code>的代码<\/li>
检查路径匹配逻辑是否进行规范化处理<\/li>
确认是否使用Spring Security及其配置<\/li>
<\/ul>
<\/li>

黑盒测试Payload<\/strong>：<\/p>

目录穿越：\/path\/..\/target<\/code>、\/path\/..;\/target<\/code><\/li>
分号参数：\/target;bypass<\/code>、\/target;\/bypass<\/code><\/li>
URL编码：\/%74%61%72%67%65%74<\/code><\/li>
后缀变异：\/target.js\/<\/code>、\/target.jsp\/<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
Java Web应用权限绕过漏洞源于路径解析差异与鉴权逻辑不匹配。深入理解Spring框架路径处理机制、严格统一路径获取方式、采用安全框架默认防护是有效防护的关键。开发人员应避免使用字符串匹配进行路径鉴权，安全人员需掌握各种绕过技术以进行全面安全测试。<\/p>