1.检测到目标Redis数据库未授权访问
解决方法:
在项目中的config.properties中添加redis.password=123456
在applicationContext_redis.xml中配置密码
修改redis中的配置文件 src下的redis.conf 添加指令 requirepass 123456
重启redis,重启项目即可
- 检测到目标URL存在内部IP地址泄露(项目没有配置使用域名访问不解决这个漏洞)
解决办法:
项目是部署在Tomcat中的,直接通过修改Tomcat配置文件中的server.xml实现
原来的配置应该是这样的
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
修改为如下的配置即可
<Engine name="Catalina" defaultHost="项目实际域名">
<Host name="项目实际域名" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
3.Apache Struts2 S2-045 远程代码执行漏洞(CVE-2017-5638)
解决办法:直接在pom.xml中指定了struts的版本为2.5.10.1
4.检测到目标URL存在http host头攻击漏洞
解决办法:修改tomcat\conf\server.xml
将name修改为ip地址即可,重启tomcat
- 检测到目标网站存在无效链接
解决办法:将页面注释掉的无效链接删除
6.检测到目标URL存在SQL注入漏洞
解决方法:(配置xxssProtection)将项目中配置的过滤器注释放开
xxssProtection
com.wisdombud.web.filter.XXSSProtectionFilter
<init-param>
<!-- If not specified the default is false -->
<param-name>report-only</param-name>
<param-value>false</param-value>
</init-param>
<!-- Optionally add a reporter-uri -->
<init-param>
<param-name>sandbox</param-name>
<param-value>allow-forms allow-same-origin allow-scripts allow-popups allow-pointer-lock
allow-popups-to-escape-sandbox allow-top-navigation allow-orientation-lock
</param-value>
<!-- true enables the sandbox behaviour - the default is false - one can also specify exceptions, e.g.
<param-value>allow-forms allow-same-origin</param-value>
-->
</init-param>
<!-- Remember that special keywords have to be put in single quotes, e.g. 'none', 'self' -->
<init-param>
<!-- If not specified the default is 'none' -->
<param-name>default-src</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>img-src</param-name>
<param-value>'self' data:</param-value>
</init-param>
<init-param>
<param-name>script-src</param-name>
<!--<param-value>'self' job.cqupt.edu.cn</param-value>-->
<param-value>'self' 'unsafe-inline' 'unsafe-eval'</param-value>
</init-param>
<init-param>
<param-name>style-src</param-name>
<param-value>'self' 'unsafe-inline'</param-value>
</init-param>
<init-param>
<param-name>connect-src</param-name>
<param-value>'self'</param-value>
</init-param>
<init-param>
<param-name>font-src</param-name>
<param-value>'self'</param-value>
</init-param>
<init-param>
<param-name>object-src</param-name>
<param-value>'self'</param-value>
</init-param>
<init-param>
<param-name>media-src</param-name>
<param-value>'self'</param-value>
</init-param>
<init-param>
<param-name>frame-src</param-name>
<param-value>'self'</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>xxssProtection</filter-name>
<url-pattern>*.html</url-pattern>
</filter-mapping>
7.检测到目标站点存在javascript框架库漏洞
解决办法:将jquery从1.11.3升级到3.3.1