一、场景描述
渗透测试中发现一个接口可以通过修改服务器的返回数据,绕过前端校验调积分获取接口。复查得出的结论是并发导致的,当并发调接口的时候,发放标识还未写入数据库,多笔数据通过了未发放的校验,导致重复获取积分。
二、场景还原
- 创建线程类
/**
*/
public class ThreadTest implements Runnable {
@Autowired
private BusinessService businessService;
private String user;
private String business;
/**
通过set方法传参(通过构造方法会报错,还请大佬指点)
*/
public void setValue(String user,String business){
this.user = user;
this.business = business;
}
/**
重写run方法
*/
public void run(){
try{
businessService.doBusiness(user,business);
}catch (Exception e){
throw new Exception("业务执行报错",e);
}
}
- Controller层添加方法
@PostMapping("doTestThreadBusiness")
public void doTestThreadBusiness() throws Exception{
service.doTestThreadBusiness();
}
- Service层添加方法
ApplicationContextAwared的使用
ServiceImpl implement Service,...,ApplicationContextAware{
private ApplicationContext applicationContext;
@Override
public void setApplicationContext(ApplicationContext applicationConetxt) throws BeanException {
this.applicationContext = applicationContext;
}
public ThreadTest getCustomBean() {
//从applicationContext容器中获取bean
ThreadTest bean = applicationContext.getBean(ThreadTest.class);
return bean;
}
@Override
public void doTestThreadBusiness() {
for (int i = 0;i < 10; i++) {
//每次重新获取线程的实例threadTest 保证这个threadTest对象是多例的
ThreadTest threadTest = getCustomBean();
threadTest.setValue("颜炎","贷款");
//验证业务
new Thread(threadTest).start();
}
}
}