Explain the function of static keyword and final keyword in Java in detail>>>
Code vulnerability scanning
Vulnerability Description: cross site history manipulation
Brief description: product behavior differences or sending different responses, to some extent, expose the product status related to security, such as whether a specific operation
is successful or not
possible vulnerability elimination methods:
Distinguish the “safe” areas of your system, which can clearly draw trust boundaries. Sensitive data is not allowed to go outside the trust boundary
, so it is necessary to be careful when interacting with the space outside the security zone
set the general response for the error condition. This error page should not reveal information about successful or failed sensitive operations. For example,
the login page should not confirm that the login is correct and the password is wrong. The attacker wants to guess some of the correct
account names by trying to enter random account names. Confirming the presence of an account will make the login page more vulnerable to brute force attacks
Solution:
After the verification is successful, there is a page Jump. At this time, add a random number to the page, as follows:
Response.Redirect("dongcoder.aspx?rand=" + Common.getRandValue());
:
, like RandValue,
public static string getRandValue()
{
string randValue = "";
using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider())
{
byte[] data = new byte[4];
rng.GetBytes(data);
Int32 value = BitConverter.ToInt32(data, 0);
if (value < 0) value = -value;
randValue = value.ToString();
}
return randValue;
}
Need to add reference
using System.Security.Cryptography;
Another method of generating random numbers is used here. If the common random method is used, the vulnerability will continue to be exposed
Excerpt: Code vulnerability scanning description cross site history manipulation solution
Similar Posts:
- [Solved] jmeter Error: Can‘t assign byte [] to java.lang.String
- [Solved] This function has none of DETERMINISTIC, NO SQL, or READS SQL DATA in its declaration and binary logging is enabled (you *might* want to use the less safe log_bin_trust_function_creators variable)
- [Solved] exception is java.lang.NoClassDefFoundError: com.sun.crypto.provider.SunJCE
- There is no PasswordEncoder mapped for the id “null” [How to Solve]
- Python3 urlopen() TypeError: can’t convert ‘bytes’ object to str im…
- [Solved] IOS Package Error: ARCHIVE FAILED:Command CodeSign failed with a nonzero exit code
- A brief summary of hash calculation in resource packaging of unity
- PHP use$_ SERVER[‘PHP_ Self ‘] to get the current page address and its security issues
- SQL Server 2019 opens the data file MDF with an error
- Trouble Connecting to sql server Login failed. “The login is from an untrusted domain and cannot be used with Windows authentication”