跨站点请求伪造
严重性: 中
CVSS 分数: 6.4
URL: http://127.0.0.1/test/enterapp.do
实体: enterapp.do (Page)
风险: 可能会窃取或操纵客户会话和 cookie,它们可能用于模仿合法用户,从而使黑客能够以该用户身份查
看或变更用户记录以及执行事务
原因: 应用程序使用的认证方法不充分
固定值: 验证“Referer”头的值,并对每个提交的表单使用 one-time-nonce
CSRFilter.java
package com.neusoft.education.mepec.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class CSRFilter implements Filter {
private String[] verifyReferer = null;
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
String referer = ((HttpServletRequest)request).getHeader("Referer");
boolean b = false;
for(String vReferer : verifyReferer){
if(referer==null || referer.trim().startsWith(vReferer)){
b = true;
chain.doFilter(request, response);
break;
}
}
if(!b){
System.out.println("疑似CSRF攻击,referer:"+referer);
}
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
String referer = filterConfig.getInitParameter("referer");
this.verifyReferer = referer.split(",");
}
}
web.xml
<filter>
<filter-name>CSRFilter</filter-name>
<filter-class>com.neusoft.streamone.framework.web.defense.CSRFilter</filter-class>
<init-param>
<param-name>referer</param-name>
<param-value>http://localhost,http://127.0.0.1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CSRFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>