会话标识未更新
严重性: 中
CVSS 分数: 6.4
URL: http://127.0.0.1/test/j_unieap_security_check.do
实体: j_unieap_security_check.do (Page)
风险: 可能会窃取或操纵客户会话和 cookie,它们可能用于模仿合法用户,从而使黑客能够以该用户身份查看或变更用户记录以及执行事务
原因: Web 应用程序编程或配置不安全
固定值: 登录之后更改会话标识符值
推理: 测试结果似乎指示存在脆弱性,因为“原始请求”和“响应”中的会话标识相同。这些标志应该已在响
应中更新。
登陆验证前更新session
package com.neusoft.education.mepec.filter;
import java.io.IOException;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Map.Entry;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.neusoft.unieap.config.SystemConfig;
public class NewSessionFilter implements Filter {
private Log log = LogFactory.getLog(SystemConfig.logCatagroy);
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
if (request instanceof HttpServletRequest) {
HttpServletRequest httpRequest = (HttpServletRequest) request;
if (httpRequest.getSession() != null) {
log.debug("old Session:" + httpRequest.getSession().getId());
HttpSession session = httpRequest.getSession();
HashMap<String, Object> old = new HashMap<String, Object>();
Enumeration<String> keys = session.getAttributeNames();
while (keys.hasMoreElements()) {
String key = (String) keys.nextElement();
old.put(key, session.getAttribute(key));
session.removeAttribute(key);
}
if (!httpRequest.getSession().isNew()){
session.invalidate();
session = httpRequest.getSession(true);
log.debug("new Session:" + session.getId());
}
for (Iterator<Entry<String, Object>> it = old.entrySet().iterator(); it.hasNext();) {
Map.Entry<String, Object> entry = (Map.Entry<String, Object>) it.next();
session.setAttribute((String) entry.getKey(), entry.getValue());
}
}
}
chain.doFilter(request, response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
System.out.println("NewSessionFilter init");
}
@Override
public void destroy() {
}
public NewSessionFilter() {
System.out.println("NewSessionFilter");
}
}