会话cookie中缺少HttpOnly属性
2017-09-14 15:09
176 查看
项目经第三方机构进行安全扫描漏洞出现“会话cookie中缺少HttpOnly属性”问题
解决方法加入一个拦截器即可:
然后在配置文件web.xml中进行配置
安全风险
可能会窃取或操纵客户会话和 cookie,它们可能用于模仿合法用户,从而使黑客能够以该用户身份查看或变更用户记录以及执行事务可能原因
Web 应用程序设置了缺少 HttpOnly 属性的会话 cookie技术描述
在应用程序测试过程中,检测到所测试的 Web 应用程序设置了不含“HttpOnly”属性的会话 cookie。由于此会话 cookie 不包含“HttpOnly”属性,因此注入站点的恶意脚本可能访问此 cookie,并窃取它的值。任何存储在会话令牌中的信息都可能被窃取,并在稍后用于身份盗窃或用户伪装。解决方法加入一个拦截器即可:
package com.base.servlet; import java.io.IOException; import java.text.SimpleDateFormat; import java.util.Calendar; import java.util.Date; import java.util.Locale; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * 解决检测到会话 cookie 中缺少 HttpOnly 属性 * */ public class CookieHttpOnlyFilter implements Filter { public void destroy() { } public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { // TODO Auto-generated method stub HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; Cookie[] cookies = req.getCookies(); if (cookies != null) { for (Cookie cookie : cookies) { String value = cookie.getValue(); StringBuilder builder = new StringBuilder(); builder.append("JSESSIONID=" + value + "; "); builder.append("Secure; "); builder.append("HttpOnly; "); Calendar cal = Calendar.getInstance(); cal.add(Calendar.HOUR, 1); Date date = cal.getTime(); Locale locale = Locale.CHINA; SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss", locale); builder.append("Expires=" + sdf.format(date)); resp.setHeader("Set-Cookie", builder.toString()); } filterChain.doFilter(request, response); } } public void init(FilterConfig arg0) throws ServletException { // TODO Auto-generated method stub } }
然后在配置文件web.xml中进行配置
<filter> <filter-name>cookieHttpOnlyFilter</filter-name> <filter-class>com.base.servlet.CookieHttpOnlyFilter</filter-class> </filter> <filter-mapping> <filter-name>cookieHttpOnlyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
相关文章推荐
- 检测到会话cookie中缺少HttpOnly属性
- 会话 cookie 中缺少HttpOnly 属性 的问题
- 会话cookie中缺少HttpOnly属性 解决
- [置顶] 检验-会话cookie中缺少HttpOnly属性
- 会话cookie中缺少HttpOnly属性 解决
- 检测到会话cookie中缺少HttpOnly属性
- 网站安全测试,会话 cookie 中缺少 HttpOnly 属性
- PHP设置COOKIE的HttpOnly属性
- cookie 设置 httpOnly属性
- Session Cookie的HttpOnly和secure属性
- tomcat配置httponly属性(转帖)
- 增加 cookie 安全性添加HttpOnly和secure属性
- Cookie设置HttpOnly属性,防止前端脚本更改cookie的XSS攻击
- HttpCookie.HttpOnly 属性
- cookie httponly属性
- Servlet 2.5为cookie配置HTTPOnly属性
- express中设置cookie的httpOnly属性防御xss攻击
- cookie设置httponly属性防护XSS攻击
- 增多 cookie 安全性添加HttpOnly和secure属性
- 关于cookie的httponly属性