Analysis of JSP secure programming example (1)

Java Server PageJSP) is becoming increasingly popular as a technology to build dynamic web pages. JSP works differently with ASP and PHP. Generally, JSP pages are compiled rather than interpreted during execution. Calling the JSP file for the first time is actually a process of compiling Servlet. When the browser requests this JSP file from the server, the server will check whether the JSP file has changed since the previous compilation. If the JSP file has not changed, the server will directly execute the Servlet without re-compiling, in this way, the efficiency is significantly improved.

Today, I will work with you to look at JSP security from the perspective of Script Programming. security risks such as source code exposure are not covered in this article. The main purpose of this article is to remind beginners of JSP programming. From the very beginning, we should cultivate the awareness of security programming and avoid mistakes that should not be made to avoid possible losses. I am also a beginner. If you have any mistakes or other comments, please kindly advise me.

1. LAX Authentication-low-level mistakes

User_manager.jsp is a user-managed page in the revision v1.12 of the Forum. The author knows its sensitivity and adds a lock:

If (session. getValue ("UserName") = null) │ (session. getValue ("UserClass") = null) │ (! Session. getValue ("UserClass"). equals ("System Administrator") {response. sendRedirect ("err. jsp? Id = 14 "); return ;}

To view and modify the information of a user, use the modifyuser_manager.jsp file. Submitted by Administrator

Http://www.somesite.com/yyforum/modifyuser_manager.jsp? Modifyid = 51

Is to view, modify the user ID to 51, the Data Administrator Default User ID is 51 ). However, such an important file lacks authentication, and common users, including tourists, can directly submit the above request to view the entire password, which is also stored and displayed in plaintext ). Modifyuser_manage.jsp is also a portal wide-open page. It will not be visible until a malicious user completes the data update operation and redirects it to user_manager.jsp. Obviously, it is far from enough to lock only one door. During programming, you must add authentication to each place that requires identity authentication.

2. Keep the ingress of JavaBean

The core of JSP component technology is bean java components. In a program, logical control and database operations can be placed in the javabeans component, and then called in the JSP file. This increases the definition of the program and the reusability of the program. Compared with the traditional ASP or PHP pages, JSP pages are very simple, because many dynamic page processing processes can be encapsulated into javajan.

To change the JavaBean attribute, use the "" tag. The following code is part of the source code of a hypothetical e-shopping system. This file is used to display information in the user's shopping box, while checkout. jsp is used for checkout.

＜jsp:useBean id="myBasket" class="BasketBean"＞ ＜jsp:setProperty name="myBasket" property="*"/＞ ＜jsp:useBean＞ ＜html＞ ＜head＞＜title＞Your Basket＜/title＞＜/head＞ ＜body＞ ＜p＞ You have added the item ＜jsp::getProperty name="myBasket" property="newItem"/＞ to your basket. ＜br/＞ Your total is $ ＜jsp::getProperty name="myBasket" property="balance"/＞ Proceed to ＜a href="checkout.jsp"＞checkout＜/a＞

Have you noticed property =? This indicates that the values of all the variables entered on the visible JSP page or submitted directly through the Query String are stored in the matching bean attribute.

In general, the user submit the request like this: http://www.somesite.com/addToBasket.jspnewItem=ITEM0105342 but not the user of the rule? They may submit: http://www.somesite.com/addToBasket.jsp? NewItem = ITEM0105342 & balance = 0

In this way, the balance = 0 information is stored in the JavaBean. When they click "chekout" to settle the bill, the fee is free.

This is similar to the security problems caused by global variables in PHP. It can be seen that "property =" * "must be used with caution!