版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/u012796085/article/details/81867892
跨站点请求伪造
//拦截器添加请求地址校验
String fullurl =request.getHeader("Referer");
if(fullurl!=null){
String[] referer = fullurl.split("/"); //请求来源全路径
String serverName = request.getServerName();//项目根路径
int serverPort = request.getServerPort(); //端口号
//解决安全性问题:跨站点请求伪造
if(!referer[2].equals(serverName+":"+serverPort)){
request.getRequestDispatcher("/error.html").forward(request, response);
}
}
启用不安全的HTTP方法
在web.xml中添加如下代码,具体意义参见 http://www.cnblogs.com/xlyslr/p/5707995.html
<security-constraint>
<web-resource-collection>
<web-resource-name>fortune</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint></auth-constraint>
</security-constraint>
会话标识未更新
//不管什么框架,用户重复登陆时,更新session和cookie标识,否则就会出现这个漏洞
//使用shiro框架的可以在每次访问登陆页面时先注销,再次登陆会自动生成新的会话标识
@GetMapping({"/","/login"})
String welcome(Model model) {
SecurityUtils.getSubject().logout();
return "login";
}
发现可高速缓存的登陆页面
//页面头部添加
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache,no-store">
会话 cookie 中缺少 HttpOnly 属性
//如果使用shiro框架,底层已设置HttpOnly,不存在该错误,否则只能手动设置
Cookie cookie = new Cookie(name, value);
cookie.setPath("/");
cookie.setHttpOnly(true);
response.addCookie(cookie);
自动填写未对密码字段禁用的 HTML 属性
//添加autocomplete并设置为:“off”,禁止智能填充
<input id="password" name="password" placeholder="请输入密码" type="password" autocomplete="off" required />
JSPWiki?Edit.jsp?路径遍历
Vivvo CMS files.php
//在拦截器拦截掉含php,jsp的请求
String fullurl =request.getHeader("Referer");
if(StringUtils.contains(fullurl,".php") || StringUtils.contains(fullurl,".jsp") ){
request.getRequestDispatcher(request.getRequestURI()).forward(request, response);
}