会话cookie中缺少HttpOnly属性漏洞--分析解决

详细描述

会话cookie中缺少HttpOnly属性会导致攻击者可以通过程序(JS脚本、Applet等)获取到用户的cookie信息，造成用户cookie信息泄露，增加攻击者的跨站脚本攻击威胁。   HttpOnly是微软对cookie做的扩展，该值指定cookie是否可通过客户端脚本访问。Microsoft Internet Explorer 版本 6 Service Pack 1 和更高版本支持cookie属性HttpOnly。   如果在Cookie中没有设置HttpOnly属性为true，可能导致Cookie被窃取。窃取的Cookie可以包含标识站点用户的敏感信息，如ASP.NET会话ID或Forms身份验证票证，攻击者可以重播窃取的Cookie，以便伪装成用户或获取敏感信息，进行跨站脚本攻击等。   如果在Cookie中设置HttpOnly属性为true，兼容浏览器接收到HttpOnly cookie，那么客户端通过程序(JS脚本、Applet等)将无法读取到Cookie信息，这将有助于缓解跨站点脚本威胁。

解决办法

向所有会话cookie中添加“HttpOnly”属性。 Java示例： HttpServletResponse response2 = (HttpServletResponse)response; response2.setHeader( "Set-Cookie", "name=value; HttpOnly");   C#示例： HttpCookie myCookie = new HttpCookie("myCookie");    myCookie.HttpOnly = true;   Response.AppendCookie(myCookie);   VB.NET示例： Dim myCookie As HttpCookie = new HttpCookie("myCookie")   myCookie.HttpOnly = True   Response.AppendCookie(myCookie)

解决方式：使用过滤器为每一个cookie添加HttpOnly

在web.xml中加入拦截器：

    
    	CookieFilter
    	com.zfsoft.filter.CookieFilter
    
    
    	CookieFilter
    	/*
    

CookieFilter.java内容如下：

/**
 * 向所有会话cookie中添加“HttpOnly”属性
 * @author dyq
 * @date 20180628
 *
 */
public class CookieHttpOnlyFilter implements Filter{

	@Override
	public void init(FilterConfig filterConfig) throws ServletException {
		// TODO Auto-generated method stub
		
	}

	@Override
	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
		HttpServletRequest Hrequest = (HttpServletRequest)request;
	    Cookie[] cookies=Hrequest.getCookies();
	    for(Cookie cookie:cookies){
	    	/**
	    	 * //tomcat7 支持该属性，tomcat6不支持
	    	 * //cookie.setHttpOnly(true);
	    	 */
	    	//tomcat6
	    	  String value = cookie.getValue();  
              StringBuilder builder = new StringBuilder();  
              builder.append("JSESSIONID=" + value + "; ");  
              builder.append("Secure; ");  
              builder.append("HttpOnly; ");  
              Calendar cal = Calendar.getInstance();  
              cal.add(Calendar.HOUR, 1);  
              Date date = cal.getTime();  
              Locale locale = Locale.CHINA;  
              SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale); 
              builder.append("Expires=" + sdf.format(date));  
              resp.setHeader("Set-Cookie", builder.toString()); 
	    	
	    }
	    chain.doFilter(new StrutsRequestWrapper((HttpServletRequest) request), response); 
	}

	@Override
	public void destroy() {
		// TODO Auto-generated method stub
		
	}

}