簡易的寫出我的解法
詳細了解需自行查詢相關資訊
Log Forging
增加驗證黑名單字符
public static String checkLog(String log){
List list = new ArrayList();
list.add("%0d");
list.add("\r");
list.add("%0a");
list.add("\n");
String encode = Normalizer.normalize(log, Normalizer.Form.NFKC);
for (int i =0 ; i < list.size() ; i++){
encode-encode.replace(list.get(i),"");
}
return encode;
}Open Redirect
非直接使用網址進行轉址
js
const allowlist = ['/index', '/sitemap'];
function redirect(url){
if (allowlist.indexOf(url) > -1) {
res.redirect(url);
} else {
res.redirect('/home');
}
}Path Manipulation
使用白名單字符
public static String cleanString(String aString) {
if (aString == null) return null;
String cleanString = "";
for (int i = 0; i < aString.length(); ++i) {
cleanString += cleanChar(aString.charAt(i));
}
return cleanString;
}
private static char cleanChar(char aChar) {
for (int i = 48; i < 58; ++i) {
if (aChar == i) return (char) i;
}
for (int i = 65; i < 91; ++i) {
if (aChar == i) return (char) i;
}
for (int i = 97; i < 123; ++i) {
if (aChar == i) return (char) i;
}
switch (aChar) {
case '/':
return '/';
case '.':
return '.';
case '-':
return '-';
case '_':
return '_';
case ' ':
return ' ';
}
return '%';
}
}
Insecure Randomness
修改為安全random
SecureRandom rand = new SecureRandom();
rand.setSeed((new Date()).getTime());
rand.nextInt(10);Category: Mass Assignment: Insecure Binder Configuration
增加允許 與 不允許的聯繫
@InitBinder
public void initBinder(WebDataBinder binder) {
binder.setDisallowedFields(new String[] {});
}Category: Cross-Site Scripting: Persistent
XSS 攻擊防止
pom
org.owasp.encoder encoder 1.2.2
jsp
<%@ taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %>
//HTML
${e:forHtml(loginUsername)}
$1e:forHtml($2)$3
//script
let details=JSON.parse('${e:forJavaScript(contents)}');
let gsi=JSON.parse('${e:forJavaScript(gsi==null?"''":gsi)}'); //審核狀態檔
let pageindex=JSON.parse('${e:forJavaScript(pageindexset)}');
Category: Password Management: Password in Configuration File
在組態設定檔案中儲存純文字密碼可能會危及系統安全
進行加密
pom
com.github.ulisesbocchio jasypt-spring-boot-starter 2.1.2
application.properties
jasypt.encryptor.password=test
spring.datasource.username=ENC()
spring.datasource.password=ENC()
Category: Privacy Violation: Autocomplete
<input name="password" type="password" " autocomplete="off"/>Category: LDAP Injection
驗證輸入內容 白名單字符
public static String cleanString(String aString) {
if (aString == null) return null;
String cleanString = "";
for (int i = 0; i < aString.length(); ++i) {
cleanString += cleanChar(aString.charAt(i));
}
return cleanString;
}private static char cleanChar(char aChar) {
// 0 - 9
for (int i = 48; i < 58; ++i) {
if (aChar == i) return (char) i;
}
// 'A' - 'Z'
for (int i = 65; i < 91; ++i) {
if (aChar == i) return (char) i;
}
// 'a' - 'z'
for (int i = 97; i < 123; ++i) {
if (aChar == i) return (char) i;
}
// other valid characters
switch (aChar) {
case '*':
return '*';
case '(':
return '(';
case ')':
return ')';
case '.':
return '.';
case '&':
return '&';
case '-':
return '-';
case '_':
return '_';
case '[':
return '[';
case ']':
return ']';
case '`':
return '`';
case '~':
return '~';
case '|':
return '|';
case '@':
return '@';
case '$':
return '$';
case '%':
return '%';
case '^':
return '^';
case '?':
return '?';
case ':':
return ':';
case '{':
return '{';
case '}':
return '}';
case '!':
return '!';
}
return '%';
}Privacy Violation
請移除保密資料