org.apache.commons.lang.StringEscapeUtils the input box content processing [Stringescapeutils.escapesql (str); Stringescapeutils.escapehtml (str)]
1. Cross-site scripting attacks (crosses site Scripting)-Solutions-XSS occurs because the data entered by the user becomes code, so the data entered by the user needs to be HTML-escaped, and the special characters, such as "angle brackets", "single quotation marks", and "double quotes", are escaped encoded.
2. SQL injectionWhen an error occurs, try to overwrite the stack information with the wrong page
1 < Error-page > 2 < Error-code ></error-code>3 < location>/error400.jsp</location>4 </error-page>
3. Cross-site request forgery (Cross-site requests forgery)-Solutions-1. Set the cookie to httponlyserver.xml the following configuration
1 < docBase= "project" path= "/netcredit" reloadable= "false" usehttponly= "true"/>
Web. XML is configured as
1 <Session-config>2 <Cookie-config> 3 <http-only>True</http-only> 4 </Cookie-config>5 <Session-timeout>30</Session-timeout>6 </Session-config>
2. Add a hidden field to the token form, submit it with the hidden domain, and verify token on the server. 3, through the referer recognition according to the HTTP protocol, in the HTTP header has a field intersection referer, it records the HTTP request source address. If an attacker is to implement a CSRF attack, a request must be forged from another site, and when a user sends a request through another Web site, the value of the requested Referer is the URL of the other Web site. You can therefore verify its Referer value for each request.
4. File Upload Vulnerability
Often in the online operation, upload pictures, files to the server to save, this time, if the picture file does not do the correct verification, will lead to some malicious attackers upload viruses, trojans, plug-ins and so on to the servers, stealing server information, and even lead to server paralysis. Therefore, the uploaded files need to be verified, many of the initial number of files are fixed, so based on the contents of these bytes, you can determine the type of the file, which are also known as magic number. Set type Whitelist
Web Security implications