1.会话标识未更新:登录页面加入以下代码:
request.getSession(true).invalidate();//清空session
Cookie cookie = request.getCookies()[0];//获取cookie
cookie.setMaxAge(0);//让cookie过期

2.跨站点请求伪CSRF:
response.getWriter().write( "");

带参数的:
response.getWriter().write(? ""? );

3.启用不安全HTTP方法
在web.xml加入如下配置



/*
PUT
DELETE
HEAD
OPTIONS
TRACE





BASIC

4.已解密登录请求


SSL
/*


CONFIDENTIAL

5.高速缓存的ssl页面
页面添加

?6.会话cookie 中缺少HttpOnly 属性
response.addHeader("Set-Cookie", "uid=110; Path=/; HttpOnly");
//设置多个cookie
response.addHeader("Set-Cookie", "uid=110; Path=/; HttpOnly");
response.addHeader("Set-Cookie", "timeout=30; Path=/test; HttpOnly");
//设置https的cookie
response.addHeader("Set-Cookie", "uid=110; Path=/; Secure; HttpOnly");
//csdn博客里面有更多关于appscan扫描报告和修复的详情:http://blog.csdn.net/huoyunshen88/article/details/39181107