Since its launch, jsp programming language has been widely used due to its fast, platform-independent, scalable, and object-oriented features, more and more manufacturers have developed a variety of support platforms, such as IBM WebSphere and BEA's WebLogic. More and more websites have begun to build their own platform architecture in the jsp environment.
However, it is followed by a series of security vulnerabilities, such as source code exposure vulnerabilities, remote arbitrary command execution vulnerabilities, and so on. What's more headaches is that with the increasingly wide application of jsp, security issues are also increasing. As of this article, there have been as many as two or thirty jsp vulnerabilities published on the Internet (not including those not yet published ). (Statistical data comes from http://www.securityfocus.com)
Don't underestimate these issues. Imagine that the jsp code you have developed is easily obtained by others. More importantly, after your company's website code is downloaded, people with ulterior motives will view your code and find some vulnerabilities to attack your company's website. Therefore, these problems cannot be ignored. The author searched some domestic websites using jsp on sohu and found that some websites have various vulnerabilities and can easily download jsp source code.
This article focuses on the classification of jsp security issues and puts forward suggestions for solutions. Therefore, only one example is used for each type of security issues, for other specific details of various vulnerabilities such as the software version of which the operating system is not described one by one, interested readers can go to my site jsp enthusiasts (http://jspbbs.yeah.net) or foreign security site (http://www.securityfocus.com) for viewing and reference.
Based on the existing jsp security problems, we may divide them into the following categories: Source code exposure, remote program execution, and other categories. Let's take a look at specific things.
I. Source code exposure
The source code exposure category mainly refers to that the program source code will be returned to visitors in plaintext.
We know that dynamic programs, such as jsp, asp, and php, are executed on the server. After execution, they only return standard html and other code to visitors. This is a theoretical thing. In practice, the internal mechanism of the server may cause the vulnerability of source code exposure, in a simple example, you only need to add a few simple characters after the program file name to obtain the program code, such as the common Microsoft asp global. asa +. htr, XXXX. vulnerabilities such as asp % 81.
1. jsp source code exposure caused by adding special suffixes
Jsp also has issues similar to asp vulnerabilities, such as jsp file suffix capitalization vulnerabilities such as IBM Websphere Application Server 3.0.21, BEA Systems Weblogic 4.5.1, and Tomcat3.1; add special characters such as % 82 and .. of Resin1.2 to the jsp file ,.. /vulnerabilities; % 2E and + vulnerabilities of ServletExec.
Example: For an old JSP capital example, Tomcat 8080 is originally http: // localhost:/inde in the browser. jsp, which can be interpreted and executed normally. change jsp to inde. JSP or inde. jsp and so on. You will find that the browser will prompt you to download this file. After downloading the source code, you can check the source code.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
