1、会话标识未更新
登陆界面和登陆成功的界面一致时,修改后台逻辑,在验证登陆逻辑的时候,先强制让当前session过期,然后用新的session存储信息;
request.getSession().invalidate();
if (request.getCookies() != null) {Cookie cookie = request.getCookies()[0];// 获取cookie
cookie.setMaxAge(0);// 让cookie过期
}
HttpSession session = request.getSession(false);
2、使用 HTTP 动词篡改的认证旁路
方法 从以下位置进行控制: GET 至: BOGUS;在程序中加过滤器,针对每一个请求都加上过滤器
(1) 过滤器代码
public class MethodFilter implements Filter{@Override
public void destroy() {}
@Override
public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain)
throws IOException, ServletException {HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res=(HttpServletResponse) response ;
String method= req.getMethod();
if(method!=null){if (!"GET".equals(method) && !"POST".equals(method) && !"HEAD".equals(method) ) {res.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "JSPs only permit GET POST or HEAD");
return;
}
chain.doFilter(request, response);
return;
}
}
@Override
public void init(FilterConfig arg0) throws ServletException {}
}
(2) 过滤器
<filter>
<filter-name>MethodFilter</filter-name>
<filter-class>com.sinba.itsm.MethodFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>MethodFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>MethodFilter</filter-name>
<url-pattern>*.action</url-pattern>
</filter-mapping>
3、跨站点请求伪造
说的白话一点就是,别的站点伪造你的请求,最可怕的是你还没有察觉并且接收了。
验证Referer:
(1)过滤器代码
public class RefererFilter implements Filter{@Override
public void destroy() {}
@Override
public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain)
throws IOException, ServletException {HttpServletResponse res=(HttpServletResponse) response ;
HttpServletRequest req = (HttpServletRequest) request;
String referer=req.getHeader( "Referer" );
String startUrl = "";
if(referer!=null){startUrl=referer.substring(0,referer.indexOf("itsm-webapp/pages/"))+"itsm-webapp/pages/";}
if(referer==null){chain.doFilter(request, response);
return;
}
if ((referer!= null ) &&(referer.trim().startsWith(startUrl))){chain.doFilter(request, response);
return;
} else {request.getRequestDispatcher( "error.jsp" ).forward(request,response);
return;
}
}
@Override
public void init(FilterConfig arg0) throws ServletException {}
}
(2)过滤器
<filter>
<filter-name>RefererFilter</filter-name>
<filter-class>com.sinba.itsm.RefererFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>RefererFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>RefererFilter</filter-name>
<url-pattern>*.action</url-pattern>
</filter-mapping>
4、发现数据库错误模式
项目里的报错为数据库连接数的问题,修改了数据库的连接数就好了。
5、查询中接受的主体参数
可以将post方法直接改为get。
6、 缺少“Content-Security-Policy”头 、 缺少“X-Content-Type-Options”头、缺少“X-XSS-Protection”头及缺少跨帧脚本编制防御
参考文档:https://wenku.baidu.com/view/61f9027e5727a5e9856a61f3.html https://imququ.com/post/web-security-and-response-header.html 即在响应地方加上即可:
(1)过滤器代码
public class JSHeaderFilter implements Filter{@Override
public void destroy() {}
@Override
public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain)
throws IOException, ServletException {HttpServletResponse response1 = (HttpServletResponse) response;
response1.addHeader("content-security-policy","default-src 'self'");response1.addHeader("x-content-type-options", "nosniff");response1.addHeader("x-xss-protection","1; mode=block");response1.addHeader("x-frame-options","SAMEORIGIN");chain.doFilter(request, response);
return;
}
@Override
public void init(FilterConfig arg0) throws ServletException {}
}
(2)过滤器
<filter>
<filter-name>JSHeaderFilter</filter-name>
<filter-class>com.sinba.itsm.JSHeaderFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>JSHeaderFilter</filter-name>
<url-pattern>*.js</url-pattern>
</filter-mapping>
7、自动填写未对密码字段禁用的 HTML 属性
AppScan 发现密码字段没有强制禁用自动填写功能。 在input框添加autocomplete="off"属性。
8、检测到目标URL存在链接注入漏洞
“链接注入”是修改站点内容的行为,其方式为将外部站点的 URL 嵌入其中,或将有易受攻击的站点中的脚本 的 URL 嵌入其中。将 URL 嵌入易受攻击的站点中,攻击者便能够以它为平台来启动对其他站点的攻击,以及攻击这个易受攻击的站点本身。 在这些可能的攻击中,有些需要用户在攻击期间登录站点。攻击者从这一易受攻击的站点本身启动这些攻击,成功的机会比较大,因为用户登录的可能性更大。 “链接注入”漏洞是用户输入清理不充分的结果,清理结果会在稍后的站点响应中返回给用户。攻击者能够将危险字符注入响应中,便能够嵌入 URL 及其他可能的内容修改。
(1)过滤器代码
public class PremeterFilter implements Filter{@Override
public void destroy() {}
@Override
public void doFilter(ServletRequest request, ServletResponse response,FilterChain filterchain)
throws IOException, ServletException {//判断是否有注入攻击字符
HttpServletRequest req = (HttpServletRequest) request;
String inj = injectInput(req);
if (!inj.equals("")) {request.getRequestDispatcher( "error.jsp" ).forward(request,response);
return;
} else {// 传递控制到下一个过滤器
filterchain.doFilter(request, response);
}
}
/**
* 判断request中是否含有注入攻击字符
* @param request
* @return
*/
public String injectInput(ServletRequest request) {Enumeration e = request.getParameterNames();
String attributeName;
String attributeValues[];
String inj = "";
String injdb = "";
while (e.hasMoreElements()) {attributeName = (String)e.nextElement();
//不对密码信息进行过滤,一般密码中可以包含特殊字符
if(attributeName.toLowerCase().contains("password")){continue;
}
attributeValues = request.getParameterValues(attributeName);
for (int i = 0; i < attributeValues.length; i++) {if(attributeValues[i]==null||attributeValues[i].equals("")){continue;
}
inj = injectChar(attributeValues[i]);
if (!inj.equals("")){return inj;
}
}
}
return inj;
}
/**
* 判断字符串中是否含有注入攻击字符
* @param str
* @return
*/
public String injectChar(String str) {String inj_str = "\" ) \' * % < > &";
String inj_stra[] = inj_str.split(" ");for (int i = 0 ; i
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
