Common vulnerabilities in web projects

`X-Content-Type-Option`Missing target response header detected

X-Content-Type-OptionsThe HTTP message header is equivalent to a prompt flag, which is used by the server to prompt the client to follow Content-Typethe setting of the MIME type in the header and not to modify it. This disables client-side MIME type sniffing. In other words, it means that the website administrator is sure that their settings are correct.

solution

This type of problem actually prevents browsers from sniffing MIME. When the MIME type is missing, the browser will sniff the MIME by viewing the resource, and this operation may involve security issues. So we should try our best to set the MIME type and then disable MIME sniffing.

Set response header
Add X-Content-Type-Optionsa field and set the value tonosniff

@Override  
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {  
    HttpServletRequest request = (HttpServletRequest) servletRequest;  
    HttpServletResponse response = (HttpServletResponse) servletResponse;  
    response.addHeader("X-Content-Type-Options","nosniff");  
    filterChain.doFilter(request,response);  
}

`X-XSS-Protection`Missing target response header detected

HTTP X-XSS-Protectionresponse headers are a feature of Internet Explorer, Chrome and Safari that cause the browser to stop loading the page when a cross-site scripting attack (XSS) is detected

solution

XSS attack defense actually involves modifications in many aspects, which we will not go into details here.

We can first do basic defense by enabling XSS filtering.
- Configuration instructions
  - 0:Disable XSS
  - 1:Start XSS;
  - mode = block: When an attack is detected, the browser will block the rendering of the page instead of filtering the XSS content in the page;
  - report=<reporting-url>: Chrome only, after detecting an attack, the behavior will be reported to the specified service.
Set response header
Add X-XSS-Protectiona field and set it to1;mode=block

@Override  
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {  
    HttpServletRequest request = (HttpServletRequest) servletRequest;  
    HttpServletResponse response = (HttpServletResponse) servletResponse;    
    response.addHeader("X-XSS-Protection","1;mode=block");
    filterChain.doFilter(request,response);  
}

`Content-Security-Policy`Target response header detected

HTTP response headers Content-Security-Policyallow site administrators to control which resources the user agent can load for a given page. With few exceptions, the policies set primarily involve specifying the server's source and script endpoints

@Override  
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {  
    HttpServletRequest request = (HttpServletRequest) servletRequest;  
    HttpServletResponse response = (HttpServletResponse) servletResponse;  
    response.addHeader("Content-Security-Policy","default-src 'self");
    filterChain.doFilter(request,response);  
}

An HTTP host header attack vulnerability was detected in the target URL.

In order to easily obtain website domain names, developers generally rely on HTTP Host header. However, this header is not trustworthy. If the application does not host headerprocess the value, it may cause the code to be passed in.

solution

This is managed for the host of the WEB project, and the accessible domain names are specified by setting a whitelist.

Set up an interceptor and obtain the host field of the message header
Configure interceptor whitelist

@Override  
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {  
    HttpServletRequest request = (HttpServletRequest) servletRequest;  
    HttpServletResponse response = (HttpServletResponse) servletResponse;  
    String host = response.getHeader("host");  
    if(!checkBlankList(host)){  
        response.setStatus(HttpStatus.FORBIDDEN.value());  
        return; 
    }
    filterChain.doFilter(request,response);
}  

private boolean checkBlankList(String host){  
    String reg = "localhost|127.0.0.1|0.0.0.0";
    return Pattern.compile(reg).matcher(url).find();  
}

It was detected that the target URL has an insecure HTTP method enabled.

It is detected that the target WEB server is configured to allow one (or more ) of the following HTTP methods: DELETE, SEARCH, COPY, MOVE, PROPFIND, PROPPATCH, MKCOL, LOCK. UNLOCKThese methods indicate that WebDAV may be used on the server. Since the dav method allows the client to manipulate files on the server, if dav is not properly configured, it may allow unauthorized users to exploit it and modify files on the server.

solution

Configure the request methods that can be received. Generally POST, GETtwo methods are enough. If there are other requirements, add them.

@Override  
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {  
    HttpServletRequest request = (HttpServletRequest) servletRequest;  
    HttpServletResponse response = (HttpServletResponse) servletResponse;  
    if(!isAllowMethod(request)){  
        response.setStatus(HttpStatus.NOT\_FOUND.value());  
        return; 
    }  
    filterChain.doFilter(request,response);  
}

private boolean isAllowMethod(HttpServletRequest request){  
    boolean isAllow = false;  
    String method = request.getMethod();  
    if(HttpMethod.GET.toString().equals(method)|| HttpMethod.POST.toString().equals(method)){  
        isAllow = true;  
    }  
    return isAllow;  
}

A possible slow HTTP denial of service attack on the target host has been detected

A slow HTTP denial-of-service attack is an application-layer denial-of-service attack specifically targeting the Web. The attacker manipulates the broiler on the network and attacks the target Web server with massive HTTP requests until the server bandwidth is full, causing a denial of service.

solution

Such problems are generally solved in two directions:

Specifies the number of concurrent connections requested
Set request timeout

server.connection-timeout= 5000
server.tomcat.max-connections = 10000

Clickjacking: X-Frame-Options not configured

Clickjacking is a form of visual deception. The attacker uses a transparent, invisible iframe to cover a web page, and then induces the user to perform operations on the web page. At this time, the user will click on the transparent iframe page without knowing it. By adjusting the position of the iframe page, users can be induced to click on some functional buttons of the iframe page.

Add X-Frame-Optionsresponse header
- DENY: cannot be embedded
- SAMEORIGIN: Can only be embedded in this site
- ALLOW-FROM:Specify sites that can be embedded
set upresponse响应头

public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {  
    HttpServletRequest request = (HttpServletRequest) servletRequest;  
    HttpServletResponse response = (HttpServletResponse) servletResponse;  
    //response.addHeader("X-frame-options","DENY");  
    //response.addHeader("X-frame-options","SAMEORIGIN");  
    response.addHeader("X-frame-options","ALLOW-FROM 'http://localhost:9080'");  
    filterChain.doFilter(request,response);  
}