Analysis of JSP Security programming example

Java Server page (JSP) is a growing technology for building dynamic Web pages. JSP and ASP, PHP, working mechanism is not the same. In general, JSP pages are compiled, not interpreted, as they are executed. The first call to the JSP file is actually a process that compiles to a servlet. When the browser requests this JSP file from the server, the server will check whether the JSP file has changed since the last compilation, and if it does not change, execute the servlet directly without recompiling, thus the efficiency will be significantly improved.

Today I will be with you from a scripting point of view of the security of JSP, those such as source exposure classes of security risks are not covered in this article. The main purpose of writing this article is to beginners JSP programming friends to mention a wake up, from the beginning to cultivate the awareness of security programming, do not make mistakes, avoid the loss can be avoided. In addition, I am also a beginner, if there are errors or other comments please post enlighten.

First, not strict certification-low error

In the v1.12 version of the Overflow forum,

User_manager.jsp is a user-managed page, and the author knows its sensitivity, plus a lock:

if ((session.getValue("UserName")==null)││(session.getValue("UserClass")==null)││(! session.getValue("UserClass").equals("系统管理员")))
{
　response.sendRedirect("err.jsp?id=14");
　return;
}

If you want to view, modify a user's information, you need to use modifyuser_manager.jsp this file. Administrator Submit

http://www.somesite.com/yyforum/modifyuser_manager.jsp?modifyid=51

is to view and modify the data for the user with ID 51 (the Administrator default User ID is 51). However, such an important document is lack of certification, ordinary users (including tourists) also directly submitted to the above request can also be at a glance (the password is also stored in clear text, display). Modifyuser_manage.jsp is also open to the portal until a malicious user completes the operation of the data update and redirects to user_manager.jsp to see the belated display of the wrong page. Obviously, only lock a door is not enough, programming time must take pains to each of the additional identity certification of the place plus identity authentication.

Second, keep a good javabean entrance

The core of the JSP component technology is the Java component called the Bean. Logic control, database operations in the program can be placed in the JavaBeans component, and then called in the JSP file, which can increase the clarity of the program and the reusability of the program. JSP pages are very concise compared to traditional ASP or PHP pages, as many dynamic page processing processes can be encapsulated into JavaBean.

To change the JavaBean property, use the " " tag.

The following code is part of a hypothetical electronic shopping system's source code, which is used to display information in the user's shopping box, and checkout.jsp is used for checkout.

＜jsp:useBean id="myBasket" class="BasketBean"＞
＜jsp:setProperty name="myBasket" property="*"/＞
＜jsp:useBean＞
＜html＞
＜head＞＜title＞Your Basket＜/title＞＜/head＞
＜body＞
＜p＞
You have added the item
＜jsp::getProperty name="myBasket" property="newItem"/＞
to your basket.
＜br/＞
Your total is $
＜jsp::getProperty name="myBasket" property="balance"/＞
Proceed to ＜a href="checkout.jsp"＞checkout＜/a＞

Did you notice the property= "*"? This indicates that the value of the entire variable that the user entered in the visible JSP page or submitted directly through query string is stored in the matching bean property.

Typically, a user submits a request like this:

http://www.somesite.com /addToBasket.jsp?newItem=ITEM0105342

But what about the unruly users? They may submit:

http://www.somesite.com /addToBasket.jsp?newItem=ITEM0105342&balance=0

In this way, the balance=0 information is stored in the JavaBean. When they click on the "Chekout" checkout, the cost is free.

This is the same as the security problems caused by global variables in PHP. This shows: "property=" * "must be used with caution!"