Web security problem records and solutions

Language 2023-07-22 21:53:30 views: null

1. The target site is detected to have javascript framework library vulnerabilities

Server authentication problem (Token)

When logging in, the interface returns the token as the login credentials for all interfaces, and the web side saves the token, generally using the cookie method. After checking the data, it is found that there are loopholes in this storage method.

mistake:

import Cookies from 'js-cookie'
export function getToken () {
  return Cookies.get(TokenKey)
}

export function setToken (token) {
  return Cookies.set(TokenKey, token)
}

export function removeToken () {
  return Cookies.remove(TokenKey)
}

Method:

Just delete the js-cookie and repackage it. As for the data on the page, the global query cookie is stored in localstroge .

// 存放数据
localStorage.setItem("key",value);
// 根据key获取数据
localStorage.getItem("key");
// 根据key删除数据
localStorage.removeItem("key");
// 清空localStorage
localStorage.clear();

The jquery version is too low

analyze:

Analysis of Web Security-JQuery Framework XSS Vulnerabilities

http://www.zztongyun.com/article/jQuery%E4%BB%A3%E7%A0%81

https://jiuaidu.com/jianzhan/774195/

Check out the vulnerable jQuery version at the link below:

http://research.insecurelabs.org/jquery/test/

View vulnerability details through the following links:

https://bugs.jquery.com/ticket/11290

Solution:

To update to the latest version, follow the steps below:

1) Upgrade version:

In fact, this is the best and easiest way to fix it. Since some methods of the old version may have been abandoned in the new version, jquery-migrate needs to be introduced for compatibility. The official provides two kinds of jquery-migrate, please refer to the official website

Update pre-1.9 jQuery code to jQuery 1.9 to 3.0. You can get that version here:

Download the compressed, production jQuery Migrate 1.4.1

Download the uncompressed, development jQuery Migrate 1.4.1

After using Migrate1.x and upgrading to jQuery1.9 or later, the second version will help you update your code to run on jQuery3.0 or later:

Download the compressed, production jQuery Migrate 3.4.0

Download the uncompressed, development jQuery Migrate 3.4.0

project

<script src="/js/jquery-3.6.3.min.js"></script>//最新版本代替旧版本
<script src="/js/jquery-migrate-3.4.0.min.js"></script>//帮助更新版本的migrate

2) Hide the version number

This method is actually very tricky, which is to make the scanner unable to recognize the js version number. The operation method is to delete the comment with the version number in the header of the jquery file, and delete the version number in the file. If you don't want to delete it, you can change it to the latest version number: 3.5.1

3) Rewrite the js method

Rewrite some methods, or replace the corresponding methods of the lower version with the higher version

Guess you like

Origin blog.csdn.net/weixin_51258044/article/details/128883382
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com