锐客网

  1. 首页 > 睿知 > it技术 > >

appscan查到的漏洞解决方案-java版

IT知识解决方案JAVA版appscan

人生难得几回搏,此时不搏待何时。这篇文章主要讲述appscan查到的漏洞解决方案-java版相关的知识,希望能为你提供帮助。
1.会话标识未更新:登录页面加入以下代码:
request.getSession(true).invalidate(); //清空session
Cookie cookie = request.getCookies()[0]; //获取cookie
cookie.setMaxAge(0); //让cookie过期
2.跨站点请求伪CSRF:
response.getWriter().write( " < script> parent.location.href=https://www.songbingjia.com/android/‘dbase/admin/loginJsp.action?sessionId=" +sessionId+" ‘< /script> " );
带参数的:
response.getWriter().write(? " < script language=" javascript" > " +" document.write(" < form action=dbase/admin/loginJsp.action method=post name=formx1 style=‘display:none‘> " ); " +" document.write(" < input type=hidden name=name value=https://www.songbingjia.com/android/‘" +sessionId+" ‘" ); " + " document.write(" < /form> " ); " +" document.formx1.submit(); " +" < /script> " ? );
3.启用不安全HTTP方法
在web.xml加入如下配置
【appscan查到的漏洞解决方案-java版】< security-constraint>
< web-resource-collection>
< url-pattern> /*< /url-pattern>
< http-method> PUT< /http-method>
< http-method> DELETE< /http-method>
< http-method> HEAD< /http-method>
< http-method> OPTIONS< /http-method>
< http-method> TRACE< /http-method>
< /web-resource-collection>
< auth-constraint>
< /auth-constraint>
< /security-constraint>
< login-config>
< auth-method> BASIC< /auth-method>
< /login-config>
4.已解密登录请求
< security-constraint>
< web-resource-collection >
< web-resource-name > SSL< /web-resource-name>
< url-pattern> /*< /url-pattern>
< /web-resource-collection>
< user-data-constraint>
< transport-guarantee> CONFIDENTIAL< /transportguarantee>
< /user-data-constraint>
< /security-constraint>
5.高速缓存的ssl页面
页面添加 < meta http-equiv=" Pragma" contect=" no-cache" >
?6.会话cookie 中缺少HttpOnly 属性
response.addHeader(" Set-Cookie" , " uid=110; Path=/; HttpOnly" );
//设置多个cookie
response.addHeader(" Set-Cookie" , " uid=110; Path=/; HttpOnly" );
response.addHeader(" Set-Cookie" , " timeout=30; Path=/test; HttpOnly" );
//设置https的cookie
response.addHeader(" Set-Cookie" , " uid=110; Path=/; Secure; HttpOnly" );
//csdn博客里面有更多关于appscan扫描报告和修复的详情:http://blog.csdn.net/huoyunshen88/article/details/39181107

    推荐阅读


    上一篇:手机APP测试流程&amp;方法

    下一篇:代码审计之 appcms ***F 绕过漏洞