{"id":19291567,"url":"https://github.com/joychou93/trident","last_synced_at":"2025-06-16T02:06:14.604Z","repository":{"id":119511712,"uuid":"102460534","full_name":"JoyChou93/trident","owner":"JoyChou93","description":"Java通用漏洞修复安全组件","archived":false,"fork":false,"pushed_at":"2017-10-03T16:24:14.000Z","size":61,"stargazers_count":59,"open_issues_count":0,"forks_count":19,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-22T07:01:57.905Z","etag":null,"topics":["code","component","java","security"],"latest_commit_sha":null,"homepage":"https://github.com/JoyChou93/trident","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JoyChou93.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-09-05T09:15:10.000Z","updated_at":"2025-03-30T13:59:15.000Z","dependencies_parsed_at":null,"dependency_job_id":"c82fc9cf-afbe-4c02-9beb-43da9f32fbbf","html_url":"https://github.com/JoyChou93/trident","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/JoyChou93/trident","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JoyChou93%2Ftrident","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JoyChou93%2Ftrident/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JoyChou93%2Ftrident/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JoyChou93%2Ftrident/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JoyChou93","download_url":"https://codeload.github.com/JoyChou93/trident/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JoyChou93%2Ftrident/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260083863,"owners_count":22956408,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code","component","java","security"],"created_at":"2024-11-09T22:26:14.390Z","updated_at":"2025-06-16T02:06:14.579Z","avatar_url":"https://github.com/JoyChou93.png","language":"Java","readme":"# Trident（三叉戟）\n\n\u003e Java Code Security Component （JAVA代码安全组件）\n\n目前支持的功能如下：\n\n1. URL白名单验证 （已完成）\n2. checkSSRF （已完成）\n3. checkReferer （未做）\n4. csrfToken （未做）\n5. xssEncode （未做）\n6. getRealIP （已完成）\n\n## URL白名单验证\n\n#### URL绕过\n\nURL白名单绕过可查考[https://joychou.org/web/url-whitelist-bypass.html](https://joychou.org/web/url-whitelist-bypass.html)\n\n#### 验证逻辑\n\n1. 取URL一级域名\n2. 判断是否在域名白名单列表内\n\n#### 验证代码\n \n合法URL返回true，非法URL返回false。\n\n```java\n// URL白名单组件测试\ncheckURL urlCheck = new checkURL();\nString[] urlWList = {\"joychou.com\", \"joychou.me\"};\nBoolean ret = urlCheck.checkUrlWlist(\"http://test.joychou.org\", urlWList);\nSystem.out.println(ret);\n\n```\n\n## checkSSRF\n\n\n#### 验证逻辑\n\n1. 取URL的Host\n2. 取Host的IP\n3. 判断是否是内网IP，是内网IP直接return，不再往下执行\n4. 请求URL\n5. 如果有跳转，取出跳转URL，执行第1步\n\n#### 验证代码\n\n如果是内网IP，返回false，表示checkSSRF不通过，否则返回true，即合法返回true。URL只支持HTTP协议。\n\n```java\n// SSRF组件测试\nSSRF check = new SSRF();\nString url = \"http://dns_rebind.joychou.me\";\nret = check.checkSSRF(url);\nif (ret){\n    String con = Request.Get(url).execute().returnContent().toString();\n    System.out.println(con);\n}\nelse {\n    System.out.println(\"Bad boy. The url is illegal\");\n}\n```\n\n#### 绕过姿势\n\n\n以上代码在设置TTL为0的情况，可以用DNS Rebinding绕过。\n\n但是，只要Java不设置TTL为0，该代码逻辑上不存在被绕过风险。\n\n具体绕过细节可查看[https://joychou.org/web/use-dnsrebinding-to-bypass-ssrf-in-java.html](https://joychou.org/web/use-dnsrebinding-to-bypass-ssrf-in-java.html)\n\n## 获取真实IP\n\n\n用这份代码，必须保证，前面Proxy有把真实IP放到X-Real-IP头。\n\n```\nproxy_set_header X-Real-IP $remote_addr;\n```\n\n造成漏洞的代码和配置，详情查看[https://joychou.org/web/how-to-get-real-ip.html](https://joychou.org/web/how-to-get-real-ip.html)","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoychou93%2Ftrident","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjoychou93%2Ftrident","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoychou93%2Ftrident/lists"}