漏洞修复：javascript框架库漏洞

重现方案一：升级Servlet3.0需要兼容 Java EE 6.0 的容器，如Tomcat7方案二：利用HttpResponse的addHeader方法，设置Set-Cookie的值

JavaScript 框架或库是一组能轻松生成跨浏览器兼容的 JavaScript 代码的工具和函数。如果网站使用了存在漏洞的 JavaScript 框架或库，攻击者就可以利用此漏洞来劫持用户浏览器，进行挂马、XSS、Cookie劫持等攻击。本文主要讨论Cookie劫持攻击：设置HttpOnly，防止客户端通过JS获取Cookie信息。

重现

<script type="text/javascript" src="/js/jquery.cookie.js"></script> <script type="text/javascript"> function getCookie(){ $.alert("cookie:" + $.cookie("AUTH_TOKEN")); </script>

如下：

方案一：升级Servlet3.0需要兼容 Java EE 6.0 的容器，如Tomcat7

maven依赖包

<dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>3.1.0</version> <scope>provided</scope> </dependency>

Servlet3.0中，已经支持设置HttpOnly，提供了如下API：

/** * @since Servlet 3.0 */ public interface SessionCookieConfig { .............. /** * @see javax.servlet.http.Cookie#setHttpOnly(boolean) */ public void setHttpOnly(boolean httpOnly); /** * @see javax.servlet.http.Cookie#isHttpOnly() */ public boolean isHttpOnly(); .................. } public class Cookie implements Cloneable, Serializable { .................. /** * @since Servlet 3.0 */ public void setHttpOnly(boolean isHttpOnly) { this.isHttpOnly = isHttpOnly; } /** * @since Servlet 3.0 */ public boolean isHttpOnly() { return isHttpOnly; } .................. }

业务代码

public static void saveCookie(HttpServletResponse response, String name, String value, int saveTime) { Cookie cookie = new Cookie(name, value); cookie.setMaxAge(saveTime); cookie.setPath("/"); // Servlet3.0提供setHttpOnly()方法。 cookie.setHttpOnly(true); response.addCookie(cookie); }

效果：

方案二：利用HttpResponse的addHeader方法，设置Set-Cookie的值

import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletResponse; public class CookieUtil { /** * 设置HttpOnly Cookie * @param response HTTP响应 * @param cookie Cookie对象 * @param isHTTPOnly 是否为HttpOnly */ public static void addCookie(HttpServletResponse response, Cookie cookie, boolean isHttpOnly) { String name = cookie.getName();//Cookie名称 String value = cookie.getValue();//Cookie值 int maxAge = cookie.getMaxAge();//最大生存时间(毫秒,0代表删除,-1代表与浏览器会话一致) String path = cookie.getPath();//路径 String domain = cookie.getDomain();//域 boolean isSecure = cookie.getSecure();//是否为安全协议信息 StringBuilder buffer = new StringBuilder(); buffer.append(name).append("=").append(value).append(";"); if (path != null) { buffer.append("path=").append(path).append(";"); } if (isHttpOnly) { buffer.append("HttpOnly;"); } response.addHeader("Set-Cookie", buffer.toString()); } }

业务代码

public static void saveCookie(HttpServletResponse response, String name, String value, int saveTime) { Cookie cookie = new Cookie(name, value); cookie.setMaxAge(saveTime); cookie.setPath("/"); CookieUtil.addCookie(response, cookie, true); }

效果同方案一