获取短信验证码接口存在短信资源消耗漏洞
用户登录发送手机验证码接口未做请求频率限制,存在短信资源消耗漏洞,消耗目标系统的短信资源。这可能导致用户无法接收重要的短信,如验证码、一些通知等,给用户造成不便和安全风险。
获取短信验证码接口:
接口只限制针对单个手机号的短信发送限制,
可遍历全国手机号码发送短信,短时间内消耗大量短信,
给集团信誉和系统正常运行造成影响。
解决方案:
针对单个用户的接口请求频率进行限制,加入图形化验证码机制。
图形验证码:
1、使用redis缓存,设置key为手机号加随机uuid,将手机号与验证码绑定起来,一个验证码仅对一个手机号使用。
2、使用redis缓存,图形验证码校验正确或验证错错误,都将redis中该手机号对应的验证码删除,保证图形验证码的一次性失效。
使用jar包:hutool-all-5.8.1.jar
@GetMapping("/create/{uid}/{phone}")
@ApiOperation("获取图形验证码")
public void getPicCode(@NotBlank(message = "uid不能为空") @PathVariable String uid, @NotBlank(message = "手机号不能为空") @PathVariable String phone,HttpServletRequest request, HttpServletResponse response){
userService.createImage(uid,phone,request,response);
}
注意:
a、获取图形验证码接口需要在资源配置类中给路径放行,不需要token即可调用。
b、需要使用GET请求方式,路径参数,这样前端才能接收到返回的图片验证码地址
@Override
public void createImage(String uid,String phone, HttpServletRequest request, HttpServletResponse response) {
if (phone == null){
throw new BusinessException(ErrorStatus.INTERNAL_SERVER_ERROR, "手机号不能为空!");
}
ShearCaptcha shearCaptcha = CaptchaUtil.createShearCaptcha(100, 25, 3, 1);
ServletOutputStream outputStream = null ;
try {
shearCaptcha.setFont(new Font("微软雅黑",Font.PLAIN,22));
shearCaptcha.setGenerator(new MathGenerator(1));
cacheService.setKey(uid+phone,shearCaptcha.getCode(),3L, TimeUnit.MINUTES);
response.setContentType("image/jpeg");
response.setHeader("Pragma","No-cache");
outputStream = response.getOutputStream();
shearCaptcha.write(outputStream);
outputStream.flush();
outputStream.close();
}catch (Exception ex){
log.error(ex.getMessage());
}finally {
if(!ObjectUtils.isNull(outputStream)){
try {
outputStream.close();
} catch (IOException e) {
log.error(e.getMessage(), e);
}
}
}
}
在对应的获取验证码接口实现类里,校验图形验证码是否正确
if (phone == null){
throw new BusinessException(ErrorStatus.INTERNAL_SERVER_ERROR, "手机号不能为空!");
}
String piccode = dto.getPiccode();
String uid = dto.getUid();
String checkCode = Optional.ofNullable(cacheService.getValue(uid +phone))
.orElseThrow(() -> new BusinessException(ErrorStatus.ILLEGAL_ARGUMENT, "uid参数异常"));
if (!new MathGenerator().verify(checkCode,piccode)){
//图形验证码不匹配,让其失效
cacheService.delKey(uid +phone);
throw new BusinessException(ErrorStatus.ILLEGAL_ARGUMENT, "图形验证码错误,请重新输入!");
}
//同一个IP地址限制次数
String ipAddress = IPUtils.getIpAddress(request);
boolean timeCount = cacheService.setnx("IP" + ipAddress + phone, "1");
if (timeCount) {
cacheService.setKey("IP" + ipAddress + phone, "1", 1L, TimeUnit.MINUTES);
//每小时只能发送五次
Long sendNumLimit = cacheService.boundValueOps("IP" + ipAddress + phone + "count", 1);
if (sendNumLimit == 1) {
//设置一小时后过期
cacheService.expire("IP" + ipAddress + phone + "count", 1L, TimeUnit.HOURS);
}
if (sendNumLimit > 5) {
throw new BusinessException(ErrorStatus.ILLEGAL_ARGUMENT, "当前用户IP地址请求超出限制,请稍后再试");
}
} else {
throw new BusinessException(ErrorStatus.ILLEGAL_ARGUMENT, "请勿重复发送,请一分钟后重试");
}
//图形验证码正确 让验证码也失效
cacheService.delKey(uid +phone);
@Override
public boolean setnx(String key, String value) {
Boolean aBoolean = template.opsForValue().setIfAbsent(key, value);
if (aBoolean) {
template.opsForValue().set(key,value,60,TimeUnit.SECONDS);
}
return aBoolean;
}
public class IPUtils {
public static String getIpAddress(HttpServletRequest request){
String ip = request.getHeader("x-forwarded-for");
if (ip==null|| ip.length()==0||"nuknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("Proxy-Client-IP");
}
if (ip==null|| ip.length()==0||"nuknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("Proxy-Client-IP");
}
if (ip==null|| ip.length()==0||"nuknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("WL-Proxy-IP");
}
if (ip==null|| ip.length()==0||"nuknown".equalsIgnoreCase(ip)) {
ip = request.getRemoteAddr();
}
String realIp = ip.equals("0:0:0:0:0:0:0:1") ? "127.0.0.1" : ip;
String[] ips = realIp.split(",");
return ips[0];
}
}