漏洞修复:javascript框架库漏洞
- 重现
- 方案一:升级Servlet3.0需要兼容 Java EE 6.0 的容器,如Tomcat7
- 方案二:利用HttpResponse的addHeader方法,设置Set-Cookie的值
JavaScript 框架或库是一组能轻松生成跨浏览器兼容的 JavaScript 代码的工具和函数。如果网站使用了存在漏洞的 JavaScript 框架或库,攻击者就可以利用此漏洞来劫持用户浏览器,进行挂马、XSS、Cookie劫持等攻击。本文主要讨论Cookie劫持攻击:设置HttpOnly,防止客户端通过JS获取Cookie信息。
重现
<script type="text/javascript" src="/js/jquery.cookie.js"></script>
<script type="text/javascript">
function getCookie(){
$.alert("cookie:" + $.cookie("AUTH_TOKEN"));
</script>
如下:
方案一:升级Servlet3.0需要兼容 Java EE 6.0 的容器,如Tomcat7
maven依赖包
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<scope>provided</scope>
</dependency>
Servlet3.0中,已经支持设置HttpOnly,提供了如下API:
/**
* @since Servlet 3.0
*/
public interface SessionCookieConfig {
..............
/**
* @see javax.servlet.http.Cookie#setHttpOnly(boolean)
*/
public void setHttpOnly(boolean httpOnly);
/**
* @see javax.servlet.http.Cookie#isHttpOnly()
*/
public boolean isHttpOnly();
..................
}
public class Cookie implements Cloneable, Serializable {
..................
/**
* @since Servlet 3.0
*/
public void setHttpOnly(boolean isHttpOnly) {
this.isHttpOnly = isHttpOnly;
}
/**
* @since Servlet 3.0
*/
public boolean isHttpOnly() {
return isHttpOnly;
}
..................
}
业务代码
public static void saveCookie(HttpServletResponse response,
String name,
String value,
int saveTime) {
Cookie cookie = new Cookie(name, value);
cookie.setMaxAge(saveTime);
cookie.setPath("/");
// Servlet3.0提供setHttpOnly()方法。
cookie.setHttpOnly(true);
response.addCookie(cookie);
}
效果:
方案二:利用HttpResponse的addHeader方法,设置Set-Cookie的值
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
public class CookieUtil {
/**
* 设置HttpOnly Cookie
* @param response HTTP响应
* @param cookie Cookie对象
* @param isHTTPOnly 是否为HttpOnly
*/
public static void addCookie(HttpServletResponse response, Cookie cookie, boolean isHttpOnly) {
String name = cookie.getName();//Cookie名称
String value = cookie.getValue();//Cookie值
int maxAge = cookie.getMaxAge();//最大生存时间(毫秒,0代表删除,-1代表与浏览器会话一致)
String path = cookie.getPath();//路径
String domain = cookie.getDomain();//域
boolean isSecure = cookie.getSecure();//是否为安全协议信息
StringBuilder buffer = new StringBuilder();
buffer.append(name).append("=").append(value).append(";");
if (path != null) {
buffer.append("path=").append(path).append(";");
}
if (isHttpOnly) {
buffer.append("HttpOnly;");
}
response.addHeader("Set-Cookie", buffer.toString());
}
}
业务代码
public static void saveCookie(HttpServletResponse response,
String name,
String value,
int saveTime) {
Cookie cookie = new Cookie(name, value);
cookie.setMaxAge(saveTime);
cookie.setPath("/");
CookieUtil.addCookie(response, cookie, true);
}
效果同方案一
更多推荐
漏洞修复:javascript框架库漏洞
发布评论