qileilove

blog已经转移至github,大家请访问 http://qaseven.github.io/

Appscan安全漏洞修复

 1.会话标识未更新:登录页面加入以下代码
  request.getSession(true).invalidate();//清空session
  Cookie cookie = request.getCookies()[0];//获取cookie
  cookie.setMaxAge(0);//让cookie过期
  request.getSession(true).invalidate();//清空session
  Cookie cookie = request.getCookies()[0];//获取cookie
  cookie.setMaxAge(0);//让cookie过期
  不是很明白session的机制,高手路过可以指教一下。
  2.跨站点请求伪造:
  在出错的url加参数sessionid。
  response.getWriter().write( "<script>parent.location.href='dbase/admin/loginJsp.action?sessionId="+sessionId+"'</script>");
  response.getWriter().write( "<script>parent.location.href='dbase/admin/loginJsp.action?sessionId="+sessionId+"'</script>");
  如果带参数报ssl错误,使用下面的post方式传值:
response.getWriter().write(
"<script language=\"javascript\"> " +
"document.write(\"<form action=dbase/admin/loginJsp.action method=post name=formx1 style='display:none'>\");" +
"document.write(\"<input type=hidden name=name value='"+sessionId+"'\");" +
"document.write(\"</form>\");" +
"document.formx1.submit();" +
"</script>"
);
response.getWriter().write(
"<script language=\"javascript\"> " +
"document.write(\"<form action=dbase/admin/loginJsp.action
method=post name=formx1 style='display:none'>\");" +
"document.write(\"<input type=hidden name=name value='"+sessionId+"'\");" +
"document.write(\"</form>\");" +
"document.formx1.submit();" +
"</script>"
);
  3.启用不安全HTTP方法
  修改web工程中或者服务器web.xml,增加安全配置信息,禁用不必要HTTP方法
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
  修改web工程中或者服务器web.xml,增加安全配置信息,禁用不必要HTTP方法
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
  4.已解密登录请求
  配置SSL,具体见http://serisboy.iteye.com/admin/blogs/1320231
  在web.xml加入如下配置。
<security-constraint>
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transportguarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transportguarantee>
</user-data-constraint>
</security-constraint>
  5.高速缓存的ssl页面
  页面
  <meta http-equiv="Pragma" contect="no-cache">
  页面
  <meta http-equiv="Pragma" contect="no-cache">
  response.setHeader("Pragma", "No-cache");
  response.setHeader("Pragma", "No-cache");
  6.目录列表
  配置文件目标拒绝访问。
  在conf/web.xml下:
<servlet>
<servlet-name> default </servlet-name>
<servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class>
<init-param>
<param-name> debug </param-name>
<param-value> 0 </param-value>
</init-param>
<init-param>
<param-name> listings </param-name>
<param-value> false </param-value>
</init-param>
<load-on-startup> 1 </load-on-startup>
</servlet>
<servlet>
<servlet-name> default </servlet-name>
<servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class>
<init-param>
<param-name> debug </param-name>
<param-value> 0 </param-value>
</init-param>
<init-param>
<param-name> listings </param-name>
<param-value> false </param-value>
</init-param>
<load-on-startup> 1 </load-on-startup>
</servlet>
  把listings对应的value设置为fasle.
  或者把上面的这个servlet加到你的虚拟路径下的web-inf/web.xml中,把servlet-name改为其它的,再加一下servlet-mapping
<servlet>
<servlet-name> default1 </servlet-name>
<servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class>
<init-param>
<param-name> debug </param-name>
<param-value> 0 </param-value>
</init-param>
<init-param>
<param-name> listings </param-name>
<param-value> false </param-value>
</init-param>
<load-on-startup> 1 </load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name> default1 </servlet-name>
<url-pattern> / </url-pattern>
<servlet-mapping>
<servlet>
<servlet-name> default1 </servlet-name>
<servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class>
<init-param>
<param-name> debug </param-name>
<param-value> 0 </param-value>
</init-param>
<init-param>
<param-name> listings </param-name>
<param-value> false </param-value>
</init-param>
<load-on-startup> 1 </load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name> default1 </servlet-name>
<url-pattern> / </url-pattern>
<servlet-mapping>

posted on 2014-08-18 10:11 顺其自然EVO 阅读(613) 评论(0)  编辑  收藏 所属分类: 测试学习专栏安全性测试


只有注册用户登录后才能发表评论。


网站导航:
 
<2014年8月>
272829303112
3456789
10111213141516
17181920212223
24252627282930
31123456

导航

统计

常用链接

留言簿(54)

随笔分类

随笔档案

文章分类

文章档案

搜索

最新评论

阅读排行榜

评论排行榜