会话cookie中缺少HttpOnly属性漏洞--分析解决



详细描述

会话cookie中缺少HttpOnly属性会导致攻击者可以通过程序(JS脚本、Applet等)获取到用户的cookie信息,造成用户cookie信息泄露,增加攻击者的跨站脚本攻击威胁。

 

HttpOnly是微软对cookie做的扩展,该值指定cookie是否可通过客户端脚本访问。Microsoft Internet Explorer 版本 6 Service Pack 1 和更高版本支持cookie属性HttpOnly。

 

如果在Cookie中没有设置HttpOnly属性为true,可能导致Cookie被窃取。窃取的Cookie可以包含标识站点用户的敏感信息,如ASP.NET会话ID或Forms身份验证票证,攻击者可以重播窃取的Cookie,以便伪装成用户或获取敏感信息,进行跨站脚本攻击等。

 

如果在Cookie中设置HttpOnly属性为true,兼容浏览器接收到HttpOnly cookie,那么客户端通过程序(JS脚本、Applet等)将无法读取到Cookie信息,这将有助于缓解跨站点脚本威胁。

解决办法

向所有会话cookie中添加“HttpOnly”属性

Java示例:

HttpServletResponse response2 = (HttpServletResponse)response;

response2.setHeader( "Set-Cookie", "name=value; HttpOnly");

 

C#示例:

HttpCookie myCookie = new HttpCookie("myCookie");   

myCookie.HttpOnly = true;  

Response.AppendCookie(myCookie);

 

VB.NET示例:

Dim myCookie As HttpCookie = new HttpCookie("myCookie")  

myCookie.HttpOnly = True  

Response.AppendCookie(myCookie)



解决方式:使用过滤器为每一个cookie添加HttpOnly

在web.xml中加入拦截器:


    
    	CookieFilter
    	com.zfsoft.filter.CookieFilter
    
    
    	CookieFilter
    	/*
    

CookieFilter.java内容如下:

/**
 * 向所有会话cookie中添加“HttpOnly”属性
 * @author dyq
 * @date 20180628
 *
 */
public class CookieHttpOnlyFilter implements Filter{

	@Override
	public void init(FilterConfig filterConfig) throws ServletException {
		// TODO Auto-generated method stub
		
	}

	@Override
	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
		HttpServletRequest Hrequest = (HttpServletRequest)request;
	    Cookie[] cookies=Hrequest.getCookies();
	    for(Cookie cookie:cookies){
	    	/**
	    	 * //tomcat7 支持该属性,tomcat6不支持
	    	 * //cookie.setHttpOnly(true);
	    	 */
	    	//tomcat6
	    	  String value = cookie.getValue();  
              StringBuilder builder = new StringBuilder();  
              builder.append("JSESSIONID=" + value + "; ");  
              builder.append("Secure; ");  
              builder.append("HttpOnly; ");  
              Calendar cal = Calendar.getInstance();  
              cal.add(Calendar.HOUR, 1);  
              Date date = cal.getTime();  
              Locale locale = Locale.CHINA;  
              SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale); 
              builder.append("Expires=" + sdf.format(date));  
              resp.setHeader("Set-Cookie", builder.toString()); 
	    	
	    }
	    chain.doFilter(new StrutsRequestWrapper((HttpServletRequest) request), response); 
	}

	@Override
	public void destroy() {
		// TODO Auto-generated method stub
		
	}

}

你可能感兴趣的:(安全漏洞)