SQL 盲注
这次运用 sql转义字符来处理了
也可以直接拦截后返回
“Content-Security-Policy”头缺失或不安全
过滤器中Header
HttpServletResponse res = (HttpServletResponse)args1;
res.setHeader("Content-Security-Policy", "script-src * 'unsafe-inline' 'unsafe-eval';frame-ancestors 'self'; object-src 'self'");
“X-Content-Type-Options”头缺失或不安全
res.addHeader("X-XSS-Protection", "X-XSS-Protection: 1; mode=block");
“X-XSS-Protection”报头缺失或不安全
res.addHeader("X-Content-Type-Options", "X-Content-Type-Options: nosniff");
查询中接受的主体参数
@RequestMapping(value = "/aaaaa", method = RequestMethod.POST)
@RequestMapping(value = "/bbbbb", method = RequestMethod.POST