美文网首页
常见安全漏洞

常见安全漏洞

作者: 浩哥有话说 | 来源:发表于2019-03-08 13:10 被阅读0次
  1. [11367]Insecure Transport: Insufficient HSTS Expiration Time

1.1 在tomcat的配置文件web.xml中开启HttpHeaderSecurityFilter,设置hstsEnabled和hstsMaxAgeSeconds参数的值

 <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>SAMEORIGIN</param-value>
        </init-param>
        <init-param>
          <param-name>hstsEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>hstsMaxAgeSeconds</param-name>
          <param-value>31536000</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
  1. [11307,11308]Web Server Misconfiguration: Insecure Content-Type Setting

2.1 在后台代码中设置response的ContentType

response.setContentType("application/json;charset=utf-8");
  1. [11306]Cache Management: Insecure Policy

3.1 在tomcat的配置文件web.xml中开启ExpiresFilter

    <filter>
       <filter-name>ExpiresFilter</filter-name>
       <filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
       <init-param>
          <param-name>ExpiresByType image</param-name>
          <param-value>access plus 30 minutes</param-value>
       </init-param>
       <init-param>
          <param-name>ExpiresByType text/css</param-name>
          <param-value>access plus 30 minutes</param-value>
       </init-param>
       <init-param>
          <param-name>ExpiresByType application/javascript</param-name>
          <param-value>access plus 30 minutes</param-value>
       </init-param>
    </filter>
    <filter-mapping>
         <filter-name>ExpiresFilter</filter-name>
         <url-pattern>/*</url-pattern>
         <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
  1. [10543]Cookie Security: HTTPOnly not Set;Cookie not Sent Over SSL

4.1 在tomcat的web.xml文件中增加cookie-config的secure属性

<session-config>
        <session-timeout>30</session-timeout>
        <cookie-config>
                <secure>true</secure>
        </cookie-config>
</session-config>

4.2 在tomcat的context.xml文件中设置useHttpOnly="true"(该步骤可以省,因为useHttpOnly的默认值为true)

<Context useHttpOnly="true">

4.3 在后端代码中设置cookie的secure和httpOnly属性

Cookie cookie = new Cookie("cloud_session_id", "cloud_cookie_132131");
cookie.setMaxAge(-1);
cookie.setPath("/");
if (request.isSecure()) { //安全协议
    cookie.setSecure(true);
}
cookie.setHttpOnly(true);
response.addCookie(cookie);
  1. [11516]Insecure Transport: Weak SSL Protocol

5.1 升级通信协议到TLSv1.2

  1. [11501]HTTP Verb Tampering

6.1 在tomcat的web.xml文件中增加安全约束

  <security-constraint>
        <web-resource-collection>
            <url-pattern>/*</url-pattern>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            <http-method>HEAD</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>PATCH</http-method>
        </web-resource-collection>
        <auth-constraint></auth-constraint>
  </security-constraint>
  1. [11380,4725]Often Misused: Weak SSL Certificate; SSL Certificate Hostname Discrepancy

7.1 更新证书为CA机构的合格证书

  1. [11294] Cross-Frame Scripting

8.1 在tomcat的配置文件web.xml中开启HttpHeaderSecurityFilter,设置antiClickJackingEnabled和antiClickJackingOption参数的值

 <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>SAMEORIGIN</param-value>
        </init-param>
        <init-param>
          <param-name>hstsEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>hstsMaxAgeSeconds</param-name>
          <param-value>31536000</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
  1. [10963]Cross-Site Request Forgery

9.1 后台生成csrfToken,前端每次发送ajax请求都带上该token验证

  1. [10241]Flash Misconfiguration: Overly Permissive Cross-Domain Policy

10.1 设置domain="127.0.0.1"

  1. [4728]Cookie Security: Persistent Cookie

11.1 创建cookie时,指定maxAge=-1,表示不持久化

Cookie cookie = new Cookie("cloud_session_id", "cloud_cookie_132131");
cookie.setMaxAge(-1);//cookie只保存在内存中

相关文章

网友评论

      本文标题:常见安全漏洞

      本文链接:https://www.haomeiwen.com/subject/wiphuqtx.html

      延伸阅读

      深度阅读

      • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

      栏目导航

      热点阅读

      关于我们|服务条款|联系我们|常见安全漏洞|投稿指南|网站地图|RSS订阅|排版工具|手机版

      提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

      Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

      备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

      本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

      所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!