1、Header Manipulation:过滤请求头中的参数
public static String getFilePath(String path){
String regex = "[`~!@#$%^&*()\\+\\=||{}|:\"?>
Pattern pa = new Patternpile(regex);
Matcher ma = pa.matcher(path);
if(ma.find()){
path = ma.replaceAll("").trim();
}
path = path.replace("\\","/");
path = pathj.replace("../","");
return path;
}
2、Cross-Site Scripting:
(1)Reflected:由于这个错误java和jsp中都有,附上公共java方法和公共js方法中的代码
java:
final static List list = new ArrayList();
static{
list.add("
list.add(">");
list.add("(");
list.add(")");
list.add("&");
list.add("?");
list.add(";");
}
public static String Filter(String output){
String encode = Normalizer.normalize(output,Normalizer.Form.NFKC);
for(int i=;i
encode = encode.replace(list.get(i),"");
}
return encode
}
js:
charFilter(str:String){
let charArray = ["","(",")","&","?",";"];
let encode = str.normalize("NFKC");
for(let i=0;i
encode = encode.replace(charArray[i],"");
}
return encode;
}
原文:https://wwwblogs/luchangzhu/p/14301977.html
更多推荐
fortify扫描java_亲测有效的几种fortify扫描安全漏洞的解决方案
发布评论