1.會話標識未更新:登錄頁面加入以下代碼
request.getSession(true).invalidate();//清空session
Cookie cookie = request.getCookies()[0];//獲取cookie
cookie.setMaxAge(0);//讓cookie過期
request.getSession(true).invalidate();//清空session
Cookie cookie = request.getCookies()[0];//獲取cookie
cookie.setMaxAge(0);//讓cookie過期
不是很明白session的機制,高手路過可以指教一下。
2.跨站點請求偽造:
在出錯的url加參數sessionid。
response.getWriter().write( "<script>parent.location.href='dbase/admin/loginJsp.action?sessionId="+sessionId+"'</script>");
response.getWriter().write( "<script>parent.location.href='dbase/admin/loginJsp.action?sessionId="+sessionId+"'</script>");
如果帶參數報ssl錯誤,使用下面的post方式傳值:
response.getWriter().write( "<script language=\"javascript\"> " + "document.write(\"<form action=dbase/admin/loginJsp.action method=post name=formx1 style='display:none'>\");" + "document.write(\"<input type=hidden name=name value='"+sessionId+"'\");" + "document.write(\"</form>\");" + "document.formx1.submit();" + "</script>" ); response.getWriter().write( "<script language=\"javascript\"> " + "document.write(\"<form action=dbase/admin/loginJsp.action method=post name=formx1 style='display:none'>\");" + "document.write(\"<input type=hidden name=name value='"+sessionId+"'\");" + "document.write(\"</form>\");" + "document.formx1.submit();" + "</script>" ); |
3.啟用不安全HTTP方法
修改
web工程中或者服務器web.xml,增加安全配置信息,禁用不必要HTTP方法
<security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> |
修改web工程中或者服務器web.xml,增加安全配置信息,禁用不必要HTTP方法
<security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> |
4.已解密登錄請求
配置SSL,具體見http://serisboy.iteye.com/admin/blogs/1320231
在web.xml加入如下配置。
<security-constraint> <web-resource-collection > <web-resource-name >SSL</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transportguarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection > <web-resource-name >SSL</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transportguarantee> </user-data-constraint> </security-constraint> |
5.高速緩存的ssl頁面
頁面
<meta http-equiv="Pragma" contect="no-cache">
頁面
<meta http-equiv="Pragma" contect="no-cache">
response.setHeader("Pragma", "No-cache");
response.setHeader("Pragma", "No-cache");
6.目錄列表
配置文件目標拒絕訪問。
在conf/web.xml下:
<servlet> <servlet-name> default </servlet-name> <servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class> <init-param> <param-name> debug </param-name> <param-value> 0 </param-value> </init-param> <init-param> <param-name> listings </param-name> <param-value> false </param-value> </init-param> <load-on-startup> 1 </load-on-startup> </servlet> <servlet> <servlet-name> default </servlet-name> <servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class> <init-param> <param-name> debug </param-name> <param-value> 0 </param-value> </init-param> <init-param> <param-name> listings </param-name> <param-value> false </param-value> </init-param> <load-on-startup> 1 </load-on-startup> </servlet> |
把listings對應的value設置為fasle.
或者把上面的這個servlet加到你的虛擬路徑下的web-inf/web.xml中,把servlet-name改為其它的,再加一下servlet-mapping
<servlet> <servlet-name> default1 </servlet-name> <servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class> <init-param> <param-name> debug </param-name> <param-value> 0 </param-value> </init-param> <init-param> <param-name> listings </param-name> <param-value> false </param-value> </init-param> <load-on-startup> 1 </load-on-startup> </servlet> <servlet-mapping> <servlet-name> default1 </servlet-name> <url-pattern> / </url-pattern> <servlet-mapping> <servlet> <servlet-name> default1 </servlet-name> <servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class> <init-param> <param-name> debug </param-name> <param-value> 0 </param-value> </init-param> <init-param> <param-name> listings </param-name> <param-value> false </param-value> </init-param> <load-on-startup> 1 </load-on-startup> </servlet> <servlet-mapping> <servlet-name> default1 </servlet-name> <url-pattern> / </url-pattern> <servlet-mapping> |