1.会话标识未更新
解决方案:在登录页面加入以下代码
//解决安全性问题,会话未更新
request.getSession().invalidate();//清空session
Cookie[] cookies = request.getCookies();//获取cookie
if(null != cookies &&cookies.length> 0){
for(Cookie cookie : cookies){
cookie.setMaxAge(0);//让cookie过期
}
}
2.跨站点请求伪造
解决方案:在web.xml中添加CSRFilter拦截器配置,CSRFilter它将负责检查到来的请求是否符合要求。
<!-- 解决跨站点请求伪造 CSRF攻击 -->
<filter>
<filter-name>CSRFilter</filter-name>
<filter-class>com.jeeplus.common.filter.CSRFilter</filter-class>
<init-param>
<param-name>referer</param-name>
<param-value>http://localhost,http://192.168.1.227</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CSRFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 解决跨站点请求伪造 CSRF攻击-->
package com.jeeplus.common.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class CSRFilter implements Filter {
private String[] verifyReferer = null;
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
String referer = ((HttpServletRequest)request).getHeader("Referer");
boolean b = false;
for(String vReferer : verifyReferer){
if(referer==null || referer.trim().startsWith(vReferer)){
b = true;
chain.doFilter(request, response);
break;
}
}
if(!b){
System.out.println("疑似CSRF攻击,referer:"+referer);
}
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
String referer = filterConfig.getInitParameter("referer");
this.verifyReferer = referer.split(",");
}
}
3.Flash 参数 AllowScriptAccess 已设置为 always
隐患:当AllowScriptAccess为always时,表明嵌入的第三方Flash文件可以执行代码。攻击者此时就可以利用该缺陷嵌入任意第三方Flash文件而执行恶意代码。
解决方案:将Flash 参数 AllowScriptAccess 设置为 sameDomain。当参数为“sameDomain”时,仅当Flash文件与其嵌入到的HTML页来自相同的域时,该Flash文件才能与该HTML页进行通信。
解决方案:修改web工程中或者服务器web.xml,增加安全配置信息,禁用不必要HTTP方法
<!--解决安全性问题:启用不安全HTTP方法 -->
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint></auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
5. 缺少X-Frame-Options头,缺少X-Content-Type-Options Header, 未启用Web浏览器XSS保护等的解决办法
解决方案:在web.xml文件中引入HttpHeaderSecurityFilter过滤器,将antiClickJackingOption 参数配置设置成SAMEORIGIN(同源),来防止点击劫持,提高安全性,见下图:
<!-- X-Frame-Options标头不包含在HTTP响应中以防止'ClickJacking'攻击 -->
<!-- 缺少X-Frame-Options头 -->
<!-- 缺少X-Content-Type-Options Header -->
<!-- 未启用Web浏览器XSS保护等的解决办法 -->
<!-- begin -->
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>
org.apache.catalina.filters.HttpHeaderSecurityFilter
</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- end -->
解决方案:关闭密码自动填充,将“autocomplete”属性设置为“off”,但是对于登录页面的设置,设置后登录页面“记住密码”的功能不起作用,考虑是否修改。
7.应用程序错误
问题:一是页面参数没有验证,二是页面error页面输出错误信息。参数验证没有解决,错误页面不让输出错误信息,只提示。