87,997
社区成员
发帖
与我相关
我的任务
分享jsp页面跨站脚本攻击
最近写一个系统,需要单点登录:自己页面跳转到客户的内部系统登录界面,然后返回相应信息,再进行相应的逻辑判断。现在客户用自己的软件(不知道什么软件)测试出系统存在3个跨站脚本高危漏洞,就是index.jsp里面。我已经写了一个filter来过滤非法字符,即防止在url中输入非法字符,但漏洞依然存在,求指教!
如下是index.jsp的代码:
<%@ page language="java" pageEncoding="UTF-8"%>
<%@taglib uri="/struts-tags" prefix="s"%>
<%@page import="javax.servlet.http.Cookie"%>
<%@page import="javax.servlet.http.HttpServletResponse"%>
<%@page import="javax.servlet.http.HttpServletRequest"%>
<%@page import="org.apache.struts2.ServletActionContext"%>
<%@page import="com.opensymphony.xwork2.ActionContext"%>
<%@page import="java.util.Locale"%>
<%@page import="java.util.Map"%>
<%@page import="com.gamutsoft.itsm.util.BaseAction"%>
<html>
<script language="javascript" src="<%=request.getContextPath() %>/js/jquery.js" type="text/javascript"></script>
<body>
<s:bean name="com.gamutsoft.itsm.system.service.ItsmConfigService" id="config"/>
<s:set name="language" value="#config.getItsmConfigByLanguage().getValue()"></s:set>
<%
Cookie[] cookies = request.getCookies();
Cookie defaultCookie = null;
Map session1 = ActionContext.getContext().getSession();
String language = null;
if(cookies!=null)
{
for(int i=0;cookies.length>i;i++)
{
if(BaseAction.LANGUAGE_COOKIE_KEY.equals(cookies[i].getName()))
{
defaultCookie = cookies[i];
language = defaultCookie.getValue();
}
//System.out.println(cookies[i].getName()+"~~~~~~"+cookies[i].getValue());
}
}
if(defaultCookie==null)
{
%>
<s:if test="#language=='en_US'">
<%
defaultCookie = new Cookie(BaseAction.LANGUAGE_COOKIE_KEY,"en_US");
defaultCookie.setMaxAge(60*60*24*365);//cookie时间
defaultCookie.setPath("/"); //根据个人的不用,在不同功能的路径下创建
response.addCookie(defaultCookie);
%>
</s:if>
<s:else>
<%
defaultCookie = new Cookie(BaseAction.LANGUAGE_COOKIE_KEY,"zh_CN");
defaultCookie.setMaxAge(60*60*24*365);//cookie时间
defaultCookie.setPath("/"); //根据个人的不用,在不同功能的路径下创建
response.addCookie(defaultCookie);
%>
</s:else>
<%
language = defaultCookie.getValue();
}
%>
<form action="<%=request.getContextPath() %>/E2LoginLanguageAction.action" method="post" name="E2LoginForm" id="E2LoginForm">
<input type="hidden" name="selfServiceFlag" id="selfServiceFlag" value="index"/>
<input type="hidden" name="language" id="language" value="<%=language %>"/>
</form>
<script type="text/javascript">
var urls="";
$.post('<%=request.getContextPath() %>/ssoCheckLanguageAction.action',{RequestType:'url',url:urls},
//回调函数
function(data){
data=decodeURI(data);
var value=data.split('|');
if(value[0]=="0"){ //跳转到登陆页面
var loginForm = document.getElementById('E2LoginForm');
loginForm.submit();
}
else{
window.location.href=value[1]+"?flag="+new Date().getTime()+"&url=<%=request.getRequestURL().toString()%>";
};
});
</script>
</body>
</html>
如下是index.jsp的代码:
<%@ page language="java" pageEncoding="UTF-8"%>
<%@taglib uri="/struts-tags" prefix="s"%>
<%@page import="javax.servlet.http.Cookie"%>
<%@page import="javax.servlet.http.HttpServletResponse"%>
<%@page import="javax.servlet.http.HttpServletRequest"%>
<%@page import="org.apache.struts2.ServletActionContext"%>
<%@page import="com.opensymphony.xwork2.ActionContext"%>
<%@page import="java.util.Locale"%>
<%@page import="java.util.Map"%>
<%@page import="com.gamutsoft.itsm.util.BaseAction"%>
<html>
<script language="javascript" src="<%=request.getContextPath() %>/js/jquery.js" type="text/javascript"></script>
<body>
<s:bean name="com.gamutsoft.itsm.system.service.ItsmConfigService" id="config"/>
<s:set name="language" value="#config.getItsmConfigByLanguage().getValue()"></s:set>
<%
Cookie[] cookies = request.getCookies();
Cookie defaultCookie = null;
Map session1 = ActionContext.getContext().getSession();
String language = null;
if(cookies!=null)
{
for(int i=0;cookies.length>i;i++)
{
if(BaseAction.LANGUAGE_COOKIE_KEY.equals(cookies[i].getName()))
{
defaultCookie = cookies[i];
language = defaultCookie.getValue();
}
//System.out.println(cookies[i].getName()+"~~~~~~"+cookies[i].getValue());
}
}
if(defaultCookie==null)
{
%>
<s:if test="#language=='en_US'">
<%
defaultCookie = new Cookie(BaseAction.LANGUAGE_COOKIE_KEY,"en_US");
defaultCookie.setMaxAge(60*60*24*365);//cookie时间
defaultCookie.setPath("/"); //根据个人的不用,在不同功能的路径下创建
response.addCookie(defaultCookie);
%>
</s:if>
<s:else>
<%
defaultCookie = new Cookie(BaseAction.LANGUAGE_COOKIE_KEY,"zh_CN");
defaultCookie.setMaxAge(60*60*24*365);//cookie时间
defaultCookie.setPath("/"); //根据个人的不用,在不同功能的路径下创建
response.addCookie(defaultCookie);
%>
</s:else>
<%
language = defaultCookie.getValue();
}
%>
<form action="<%=request.getContextPath() %>/E2LoginLanguageAction.action" method="post" name="E2LoginForm" id="E2LoginForm">
<input type="hidden" name="selfServiceFlag" id="selfServiceFlag" value="index"/>
<input type="hidden" name="language" id="language" value="<%=language %>"/>
</form>
<script type="text/javascript">
var urls="";
$.post('<%=request.getContextPath() %>/ssoCheckLanguageAction.action',{RequestType:'url',url:urls},
//回调函数
function(data){
data=decodeURI(data);
var value=data.split('|');
if(value[0]=="0"){ //跳转到登陆页面
var loginForm = document.getElementById('E2LoginForm');
loginForm.submit();
}
else{
window.location.href=value[1]+"?flag="+new Date().getTime()+"&url=<%=request.getRequestURL().toString()%>";
};
});
</script>
</body>
</html>
...全文
请发表友善的回复…
发表回复
