appscan 安全漏洞修复

1.会话标识未更新：登录页面加入以下代码
 

Java代码  

1. request.getSession(true).invalidate();//清空session   
2. Cookie cookie = request.getCookies()[0];//获取cookie   
3. cookie.setMaxAge(0);//让cookie过期  

    request.getSession(true).invalidate();//清空session
    Cookie cookie = request.getCookies()[0];//获取cookie
    cookie.setMaxAge(0);//让cookie过期

不是很明白session的机制，高手路过可以指教一下。
2.跨站点请求伪造：
在出错的url加参数sessionid。
 

Java代码  

1. response.getWriter().write( "<script>parent.location.href='dbase/admin/loginJsp.action?sessionId="+sessionId+"'</script>");  

response.getWriter().write(	"<script>parent.location.href='dbase/admin/loginJsp.action?sessionId="+sessionId+"'</script>");

如果带参数报ssl错误，使用下面的post方式传值：
 

Java代码  

1. response.getWriter().write(   
2.                 "<script language=\"javascript\"> " +   
3.                 "document.write(\"<form action=dbase/admin/loginJsp.action method=post name=formx1 style='display:none'>\");" +   
4.                 "document.write(\"<input type=hidden name=name value='"+sessionId+"'\");" +   
5.                 "document.write(\"</form>\");" +   
6.                 "document.formx1.submit();" +   
7.                 "</script>"  
8.                 );  

response.getWriter().write(
				"<script language=\"javascript\"> " +
				"document.write(\"<form action=dbase/admin/loginJsp.action method=post name=formx1 style='display:none'>\");" +
				"document.write(\"<input type=hidden name=name value='"+sessionId+"'\");" +
				"document.write(\"</form>\");" +
				"document.formx1.submit();" +
				"</script>"
				);

3.启用不安全HTTP方法
 

Java代码  

1. 修改web工程中或者服务器web.xml,增加安全配置信息，禁用不必要HTTP方法   
2.   <security-constraint>     
3.    <web-resource-collection>     
4.       <url-pattern>/*</url-pattern>     
5.       <http-method>PUT</http-method>     
6.       <http-method>DELETE</http-method>     
7.       <http-method>HEAD</http-method>     
8.       <http-method>OPTIONS</http-method>     
9.       <http-method>TRACE</http-method>     
10.    </web-resource-collection>     
11.    <auth-constraint>     
12.    </auth-constraint>     
13.  </security-constraint>     
14.  <login-config>     
15.    <auth-method>BASIC</auth-method>     
16.  </login-config>  

修改web工程中或者服务器web.xml,增加安全配置信息，禁用不必要HTTP方法
  <security-constraint>  
   <web-resource-collection>  
      <url-pattern>/*</url-pattern>  
      <http-method>PUT</http-method>  
      <http-method>DELETE</http-method>  
      <http-method>HEAD</http-method>  
      <http-method>OPTIONS</http-method>  
      <http-method>TRACE</http-method>  
   </web-resource-collection>  
   <auth-constraint>  
   </auth-constraint>  
 </security-constraint>  
 <login-config>  
   <auth-method>BASIC</auth-method>  
 </login-config>

4.已解密登录请求
配置SSL，具体见http://serisboy.iteye.com/admin/blogs/1320231
在web.xml加入如下配置。
 

Java代码  

1. <security-constraint>     
2.        <web-resource-collection >     
3.               <web-resource-name >SSL</web-resource-name>     
4.               <url-pattern>/*</url-pattern>     
5.        </web-resource-collection>    
6.        <user-data-constraint>     
7.               <transport-guarantee>CONFIDENTIAL</transportguarantee>     
8.        </user-data-constraint>     
9. </security-constraint>   

<security-constraint>  
       <web-resource-collection >  
              <web-resource-name >SSL</web-resource-name>  
              <url-pattern>/*</url-pattern>  
       </web-resource-collection> 
       <user-data-constraint>  
              <transport-guarantee>CONFIDENTIAL</transportguarantee>  
       </user-data-constraint>  
</security-constraint> 

5.高速缓存的ssl页面
 

Java代码  

1. 页面   
2. <meta http-equiv="Pragma" contect="no-cache">  

页面
<meta http-equiv="Pragma" contect="no-cache">

 

Java代码  

1. java代码   
2. response.setHeader("Pragma", "No-cache");  

java代码
response.setHeader("Pragma", "No-cache");

6.目录列表
配置文件目标拒绝访问。
在conf/web.xml下:
 

Java代码  

1. <servlet>    
2. <servlet-name> default </servlet-name>    
3. <servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class>    
4. <init-param>    
5. <param-name> debug </param-name>    
6. <param-value> 0 </param-value>    
7. </init-param>    
8. <init-param>    
9. <param-name> listings </param-name>    
10. <param-value> false </param-value>    
11. </init-param>    
12. <load-on-startup> 1 </load-on-startup>    
13. </servlet>   

<servlet> 
<servlet-name> default </servlet-name> 
<servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class> 
<init-param> 
<param-name> debug </param-name> 
<param-value> 0 </param-value> 
</init-param> 
<init-param> 
<param-name> listings </param-name> 
<param-value> false </param-value> 
</init-param> 
<load-on-startup> 1 </load-on-startup> 
</servlet> 

把listings对应的value设置为fasle.
或者把上面的这个servlet加到你的虚拟路径下的web-inf/web.xml   中,把
servlet-name改为其它的,再加一下servlet-mapping
 

Java代码  

1. <servlet>    
2. <servlet-name> default1 </servlet-name>    
3. <servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class>    
4. <init-param>    
5. <param-name> debug </param-name>    
6. <param-value> 0 </param-value>    
7. </init-param>    
8. <init-param>    
9. <param-name> listings </param-name>    
10. <param-value> false </param-value>    
11. </init-param>    
12. <load-on-startup> 1 </load-on-startup>    
13. </servlet>    
14. <servlet-mapping>    
15. <servlet-name> default1 </servlet-name>    
16.         <url-pattern> / </url-pattern>    
17. <servlet-mapping>   

<servlet> 
<servlet-name> default1 </servlet-name> 
<servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class> 
<init-param> 
<param-name> debug </param-name> 
<param-value> 0 </param-value> 
</init-param> 
<init-param> 
<param-name> listings </param-name> 
<param-value> false </param-value> 
</init-param> 
<load-on-startup> 1 </load-on-startup> 
</servlet> 
<servlet-mapping> 
<servlet-name> default1 </servlet-name> 
        <url-pattern> / </url-pattern> 
<servlet-mapping> 

http://serisboy.iteye.com/blog/1328056
 

转载于:https://blog.51cto.com/garlics/1071561