渗透测试CSP frame-ancestors、X-Frame-Options、Cookies with missing、Sensitive pages could be cached处理方案

前言

踩了一天坑，最后搞定了这个渗透扫面的问题，很恼火，相信大家第一次遇到这问题也和我一样，懵。这个都是后端问题。百度的文章一把又一把，好使的文章一丢丢，不知道是我菜还是其它博主高明，简单写写剩下的自己脑部了？只想说@#@#@#@#￥！#@！@￥%@#（博主您们辛苦了）废话不多说，开始正文。。。`。

---

一、背景简介

项目介绍：前端VUE、后端SpringBoot、部署环境Ubuntu、nginx部署
渗透工具：Acunetix、burp suite professional

二、渗透问题

1. Clickjacking:CSP frame-ancestors missing
2. Clickjacking:X-Frame-Options header missing
3. Cookies with missing,inconsistent or contradictory properties(verified)
4. Sensitive pages could be cached

三、解决方案

nginx配置方案

http中是全局，本文选择加到渗透的项目location 中，add_header 内容全是干货。

   server {
        listen       8080;
        server_name  fangwen.yuming.com;
        location / {
            root   /usr/local/share/html;
            index  index.html index.htm;
        }
		location /aa/ {
			#Clickjacking:CSP frame-ancestors missing
			#----------------------------------------------------------------------------
			add_header Content-Security-Policy "default-src *;style-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';img-src * data:;worker-src * blob:;font-src 'self' data:;";
			#----------------------------------------------------------------------------
			#Clickjacking:X-Frame-Options header missing
			#----------------------------------------------------------------------------
	        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
	        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
	        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
	        add_header  X-Frame-Options "SAMEORIGIN";
			#----------------------------------------------------------------------------
	        add_header  X-XSS-Protection "1; mode=block";
	        add_header X-Content-Type-Options "nosniff";
	        add_header Strict-Transport-Security "max-age=172800; includeSubDomains";
	        #Sensitive pages could be cached
	        #----------------------------------------------------------------------------
	        add_header Cache-Control "private, no-cashe";
	        	#------------------------------------------------------------------------
				proxy_pass http://fangwen.yuming.com:21008/;
				#Cookies with missing,inconsistent or contradictory properties(verified)
		        #------------------------------------------------------------------------
				proxy_cookie_path / "/; httponly; secure; SameSite=None";
				#------------------------------------------------------------------------
		}
		location /bb/ {
			proxy_pass http://fangwen.yuming.com:21008/;
		}
        
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

    }   

java代码增强

代码增强解决问题X-Frame-Options header missing&Cookies with missing

package com.abc.filter;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpHeaders;
import org.springframework.http.ResponseCookie;

import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.time.Duration;
import java.util.Calendar;
import java.util.Date;
import java.util.List;
import java.util.Locale;

@WebFilter(urlPatterns = "/*", filterName = "MyFilter")
public class MyFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    private String mode = "SAMEORIGIN";

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    	ResponseCookie cookieNew = null;
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        HttpServletResponse response = (HttpServletResponse)servletResponse;
        String uri = request.getRequestURI();
        String ip = request.getRemoteAddr();
        System.out.println("uri=" + uri);
        filterChain.doFilter(request, response);
        Cookie[] cookies = request.getCookies();
        if (cookies != null) {
            Cookie cookie = cookies[0];
            if (cookie != null) {
            //cookie有值用真实的
                String value = cookie.getValue();
                cookieNew = ResponseCookie.from("JSESSIONID", value) // key & value
                        .httpOnly(true)		// 禁止js读取
                        .secure(false)		// 在http下也传输
                        .domain("www.baidu.com")// 域名
                        .path("/")			// path
                        .maxAge(Duration.ofHours(1))	// 1个小时候过期
                        .sameSite("Lax")
                        .build();
                response.setHeader(HttpHeaders.SET_COOKIE, cookieNew.toString());
            }
        }else {
         	//cookie没值自定义
            cookieNew = ResponseCookie.from("JSESSIONID", "123112423433") // key & value
                    .httpOnly(true)		// 禁止js读取
                    .secure(false)		// 在http下也传输
                    .domain("www.baidu.com")// 域名
                    .path("/")			// path
                    .maxAge(Duration.ofHours(1))	// 1个小时候过期
                    .sameSite("Lax")
                    .build();
            response.setHeader(HttpHeaders.SET_COOKIE, cookieNew.toString());
        }
        response.addHeader("X-FRAME-OPTIONS",mode);
    }

    @Override
    public void destroy() {

    }
}

总结

提示：本人兼职运维，本职后端研发。项目进度问题，已先解决问题优先为原则，有兴趣的可临行百度了解。这里不做无用解释，处理方案真实有效。