2024Web应用安全开发规范

Web2224 SQL注入攻 第PAGE第PAGE1024Script（XSSHTMLJavaScriptAPIXSS缺陷。XSS让攻击者能够在受害者的浏览器中执行脚本，并劫持用户会话、破坏网站或将用户重定向到恶意XSSXSSXSSDOMBasedXSS。XSS做到：$var的值为<a$var的值为<imgsrconerror=alert(1HTML内容语境中显示“用户可控数据”HtmlContent进行转义。<inputtype="text"name="a"value="$var"$var的值为<textarea<inputtype="text"name="a"value="$var"$var的值为<textareavardata=$varvardata=$var的值为<button<buttononclick="funcA('$var$var的值为CSS中输出的“用户可控数据”CSSescapeURL的输出是“用户可控数据”URLURL”StringuserURL=request.getParameter("userURL")StringuserURL=request.getParameter("userURL")if(isValidURL){<ahref="<%=<a<a<aHTMXSS漏洞，转义发生在模板引擎或者明确知XSS问题的框架，如：Ruby3.0ReactJS，需要XSS保护的局限性，并适当地处理未覆盖的用例。DOM-basedXSSif(portal.appGlobal.get('portalId')===portalList[i].portalId){that.$('.portalMenu').append("<liclass='portal-menuitemactive'>"+"<ahref='javascript:void0'>"+fish.escape(portalList[i].portalName)+'</a>'+if(portal.appGlobal.get('portalId')===portalList[i].portalId){that.$('.portalMenu').append("<liclass='portal-menuitemactive'>"+"<ahref='javascript:void0'>"+fish.escape(portalList[i].portalName)+'</a>'+OWASPXSS问题的思路可参考如下链接：CookieHttpOnlyCookieHttpOnlyXSSCookieAJAXHTTP/1.1Date:Wed,HTTP/1.1Date:Wed,06Feb201310:28:54<div<divid="init_data"style="display:vardataElement=document.getElementById('init_data');varinitData=JSON.parse(dataElement.textContent);XSS攻击。现。Web开发的普遍的做法，在客户端的JavaScript中和服务端代码中实现相同的输入检查。在客户端JavaScript中进行输入校验，可以阻挡大部分误操作的用户，从而节约服务器资源。if(/(.)\1{2}/.test(password))if(/(.)\1{2}/.test(password))publicpublicstaticbooleancheckPwdContinuousChar(Stringpwd){Patternp=Ppile("(.)\\1{2}");Matchermatcher=p.matcher(pwd);returnmatcher.find();1+1<31+1<3。publicstaticStringstripXSS(Stringvalue){if(value!=null){StringoriValue=//Avoidnullvalue=value.replaceAll("","");PatternscriptPattern=Ppile("<[\r\n||]*script[\r\n||]*>(.*?)</[\r\n||]*script[\r\n||]*>",Pattern.CASE_INSENSITIVE);value=scriptPattern.matcher(value).replaceAll("");scriptPattern=Ppile("expression\\((.*?)\\)",Pattern.CASE_INSENSITIVE|Pattern.MULTILINE|Pattern.DOTALL);value=//old:scriptPattern=javascript[\r\n||]*:[\r\n||]*",Pattern.CASE_INSENSITIVE);value=scriptPattern.matcher(value).replaceAll("");//AvoidSQLinjection//addbyshi.pengyan2013-6-scriptPattern=Ppile(SQL_REG,Pattern.CASE_INSENSITIVE);value=scriptPattern.matcher(value).replaceAll("");//value=StringEscapeUtils.escapeHtml(value);value=htmlEncode(value);privatestaticStringhtmlEncode(Stringvalue){if(value==null){return

//value=value.replaceAll("\\(","(").replaceAll("\\)",")");value=value.replaceAll("&","&");value=value.replaceAll("'","'").replaceAll("\"",value=value.replaceAll("<","<").replaceAll(">",">");returnvalue;Forgery（CSRFWeb服务器发出任意的请求，WebURL，图像加载，XMLHttpRequest，form表单等来完成，并且可能导致数据暴露或意外的代码执行。$(function()vartoken$(function()vartoken=varheader=$(document).ajaxSend(function(e,xhr,options){xhr.setRequestHeader(header,token);<form<form <input value="Logout"<input StringactualToken=request.getHeader(csrfToken.getHeaderName());if(actualToken==null){if(this.logger.isDebugEnabled()){this.logger.debug("InvalidCSRFtokenfoundfor+StringactualToken=request.getHeader(csrfToken.getHeaderName());if(actualToken==null){if(this.logger.isDebugEnabled()){this.logger.debug("InvalidCSRFtokenfoundfor+if(missingToken){newelsePOSTGETformAjax的形式提交；URL中不要CSRF的防御方案将会失效。publicvoidinit(FilterConfigfilterConfig)throwsServletException{XFrameOptions=filterConfig.getInitParameter("XFrameOptions");publicvoiddoFilter(ServletRequestservletRequest,publicvoidinit(FilterConfigfilterConfig)throwsServletException{XFrameOptions=filterConfig.getInitParameter("XFrameOptions");publicvoiddoFilter(ServletRequestservletRequest,ServletResponseservletResponse,FilterChainfilterChain)throwsIOException,ServletException{HttpServletResponseresponse=(HttpServletResponse)servletResponse;if(!StringUtil.isEmpty(XFrameOptions)){response.addHeader("X-Frame-Options",XFrameOptions);“ContentSecurityPolicy”（指令较多且比较严格，使用时需要花时间了解下各个指令的含义）NOScriptWeb服务器上进行配置。CrossOriginResourceSharing，跨域资源共享，解决浏览器同源策略限制，允许脚本的跨域请求，同时也会HTTPHeader进行精确的控制：/NginxAjaxSQL注入、NoSQL注入、SQLSQL注入的示例代码如下：HttpServletRequestrequest,HttpServletRequestrequest,HttpServletResponseresponse){JdbcConnectionconn=newJdbcConnection();finalStringsql="select*fromproductwherepnamelike+request.getParameter("pname")+"%'";<select<selectid="unsafe"resultType="com.ztesoft.zsmart.pot.dto.RoleDto"> ROLE_CODE='$roleCodeSQLSQL语句中的变量做绑定。用户拼接进来的变量，“?”SQLfinalStringsqlfinalStringsql="select*fromproductwherepnamelike?";java.sql.PreparedStatementps=ps.setObject(1,"%"+request.getParameter("pname")+"%");ResultSetrs=ps.executeQuery();<selectid="<selectid="unsafe"resultType="com.ztesoft.zsmart.pot.dto.RoleDto"> ROLE_CODE=另外，检查数据类型、使用安全的存储过程、使用安全编码函数等。SQL注入问题可参考《Java语言1.2SQL防御实施方案。eval()、system()等可以执行命令的函数。如果一定要用，则必须对用户输入数Web应用程序在处理用户上传的文件时，没有判断文件的扩展名是否在允许的范围内，就把文件保存checkFileSize(file.getSize(),uploadProperties.getMaxFileSize());////StringcurrentFileHeader=String[]expectFileHeaderArr=initFileTypes.get(expectFileType);BooleanretFlag=false;//for(StringexpectFileHeader:expectFileHeaderArr){retFlag=#file.upload.directory=/home/uploadStringfileName=UUID.randomUUID()+"."+if(isStrictValidation&&if(isStrictValidation&&(fileDirectory.contains("./")||fileDirectory.contains(".\\"))){logger.error("filePathcontains./or../");IDwebif(!DownloadPrivUtil.getInstance().validatePathPriv(session,realFilePath)){response.getWriter().print("Youif(!DownloadPrivUtil.getInstance().validatePathPriv(session,realFilePath)){response.getWriter().print("Youhavenopermissiontodownloadthisfile.");if(isStrictValidation&&(realFilePath.contains("./")||realFilePath.contains(".\\"))){response.getWriter().print("Cannotdownloadthisfile.");directory=canDownload=true;if(needDelete)if(needDelete)webURL，从而访问或控制其他权SpringSecurityRBAC模型的一个实现，一种是“URL的访问<http-basic<http-basicprotectedprotectedvoidconfigure(HttpSecurityhttp)throwsException{//@PostFilter("hasPermission(filterObject,'read')@PostFilter("hasPermission(filterObject,'read')orhasPermission(filterObject,'admin')")publicList<Contact>getAll();AC不同角色的权限有高低之分，高权限角色访问低权限角色的资源往往是被允许的，而低权限角色访问高权相对于垂直权限，水平权限问题是同一个角色上，Web应用程序接收到用户修改信息的请求，未对该ID，达到修改其他用户数据的目的。即缺少一个用户与数据的对应关系。id，各开发人员在编码时要注意此类场景，非此类场景的请求，需要确保应用中具有垂直权限 CookiehttponlysecureCookieCookiehttponlycookieCookieCookie。CookieSecurehttpsCOOKIE，开发人员需response.setHeader("SET-COOKIE","user="+request.getParameter("cookie")response.setHeader("SET-COOKIE","user="+request.getParameter("cookie")+";HttpOnly;SecureSessionFixationExpiresSessionFixation，sessionURLjsessionidSessionID，然后发送给用户sessionsessionsessionprivatevoidsessionManagement(HttpSecurityhttp)privatevoidsessionManagement(HttpSecurityhttp)throwsException{publicstaticvoidreGenerateSessionId(){HttpSessionpublicstaticvoidreGenerateSessionId(){HttpSessionsession=currentSession.get();HttpServletRequestreq=RequestUtil.getRequest();if(session!=null&&req!=null){sessionMapMap<String,Object>tempMap=newHashMap<String,Object>();Enumeration<String>sessionNames=session.getAttributeNames();while(sessionNames.hasMoreElements()){StringsessionName=sessionNames.nextElement();session,sessionIdsession=for(Map.Entry<String,Object>entry:tempMap.entrySet()){session.setAttribute(entry.getKey(),entry.getValue());SessionIDSession设置强制超时时间，攻击者一privatevoidsessionManagement(HttpSecurityhttp)privatevoidsessionManagement(HttpSecurityhttp)throwsException{////LongmaxIdleMinutes=30minDatedate=newDate(DateUtil.getNowDate().getTime()-1000*60*//同时将在线用户标记为XList<SsoUserOnlineDtolistnew//if(list!=null&&!list.isEmpty())if(!isUserOnline){("userhasoffline.sessionId=[{}],userId=[{}]",session.getId(),userId);returntrue;WebURLURL的值为恶意站点的地址，URLURLStringStringtrustedList=ConfigurationMgr.instance().getString("urlRedirect.trustedList","");if(StringUtil.isNotEmpty(trustedList)&&trustedList.indexOf(paramValue)<0){StringrootStr=UrlUtil.getWebRoot(request);统上的文档（file：//gopher://tftp://，可以提供对请求内容的更大控制。privatevoidvalidateWsUrl(StringwsUrl)throwsBaseAppException{privatevoidvalidateWsUrl(StringwsUrl)throwsBaseAppException{StringappWsUrlRegExp=if&&!"false".equalsIgnoreCase(appWsUrlRegExp)&&StringUtil.isNotEmpty(wsUrl)){String[]params=wsUrl.split(";");Patternpattern=Ppile(appWsUrlRegExp);if(!pattern.matcher(params[0]).matches()){publicpublicbooleanverifyAdmin(Stringpwd){if(pwd.equals("34783fdfsd9sfds")){byte[]key= byte[]key= "MyEncryptionKey".getBytes();DESKeySpecdesKeySpec=newDESKeySpec(key);ECBRC4；saltsIVCBCAES256WebXSS、CSRF、SQL注入、访问控制、认