AppScan常见问题解决方法

跨站点请求伪造

//拦截器添加请求地址校验
String fullurl =request.getHeader("Referer");
if(fullurl!=null){
    String[] referer = fullurl.split("/");   //请求来源全路径
    String serverName = request.getServerName();//项目根路径
    int serverPort = request.getServerPort(); //端口号
    //解决安全性问题：跨站点请求伪造
    if(!referer[2].equals(serverName+":"+serverPort)){
        request.getRequestDispatcher("/error.html").forward(request, response);
    }
}

启用不安全的HTTP方法

在web.xml中添加如下代码，具体意义参见 http://www.cnblogs.com/xlyslr/p/5707995.html

<security-constraint>
        <web-resource-collection>
            <web-resource-name>fortune</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            <http-method>HEAD</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
        </web-resource-collection>
        <auth-constraint></auth-constraint>
    </security-constraint>

会话标识未更新

//不管什么框架，用户重复登陆时，更新session和cookie标识，否则就会出现这个漏洞
//使用shiro框架的可以在每次访问登陆页面时先注销，再次登陆会自动生成新的会话标识
@GetMapping({"/","/login"})
String welcome(Model model) {
    SecurityUtils.getSubject().logout();
    return "login";
}

发现可高速缓存的登陆页面

//页面头部添加
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache,no-store">

会话 cookie 中缺少 HttpOnly 属性

//如果使用shiro框架，底层已设置HttpOnly，不存在该错误，否则只能手动设置
Cookie cookie = new Cookie(name, value);
cookie.setPath("/");
cookie.setHttpOnly(true);
response.addCookie(cookie);

自动填写未对密码字段禁用的 HTML 属性

//添加autocomplete并设置为：“off”，禁止智能填充
<input id="password" name="password" placeholder="请输入密码" type="password" autocomplete="off" required />

JSPWiki?Edit.jsp?路径遍历

Vivvo CMS files.php

//在拦截器拦截掉含php,jsp的请求
String fullurl =request.getHeader("Referer");
if(StringUtils.contains(fullurl,".php") || StringUtils.contains(fullurl,".jsp") ){
    request.getRequestDispatcher(request.getRequestURI()).forward(request, response);
}