Bootstrap

超详细的cookie属性HttpOnly和SameSite引起的漏洞解决方案

        我们项目上线前都经过漏洞扫描,并针对漏扫报告修改存在的漏洞,每次扫描都有2个关于cookie方面的漏扫(漏洞级别属于低),漏洞名字分别是:Cookie No HttpOnly Flag 和 Cookie Without SameSite Attribute。每次上线前漏扫,测试同事都催着让改(由于属于低级别漏洞,都一直拖着),我看以前同事改过几次,但是都没起作用,漏洞还存在。所以就研究一下,自己做下总结。

关于这2个漏洞简单介绍

        Cookie No HttpOnly Flag:没有安全标签的cookie,需要把httponly属性设置为true;这样就可以防止跨站脚本攻击XSS(Cross Site script)。

        Cookie Without SameSite Attribute: 意思cookie的samesite属性设置了none,当samesite=none时,有可能存在跨站请求伪造CSRF(cross site request forgery)攻击的风险。samesite属性有三个值:Strict/Lax/None。具体意思大家自行百度吧。我们这里把samesite设置成Lax就可以了。

错误的解决方案

        我也在网上查了很多资料,都是写个过滤器filter,然后在response里设置下,大概代码如下:

response.setHeader("SameSite","Lax");
response.setHeader("Set-Cookie","HttpOnly");

其实我们就是这么改的,但是不生效,这2个漏洞还存在。在浏览器F12下看相关信息截图如下:

        在响应头里确实有了这个2个属性,由于前期对cookie的这2个属性不了解,以为这样就可以了,但是这是无法解决这2个漏洞的。

错误解决方案的代码如下

package com.lsl.mylsl.filter;

import org.springframework.stereotype.Component;

import javax.servlet.*;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Component
public class CookieFilter implements Filter {


    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;

        //这里模拟下浏览器发送请求中包含三个cookie,
        // 因为后端在request中无法添加cookie,咱们就先添加到response中,
        //第一次请求把三个cookie带到客户端,再请求时浏览器就把这三个cookie带过来了
        Cookie cookie1 = new Cookie("name","lsl");
        httpResponse.addCookie(cookie1);
        Cookie cookie2 = new Cookie("age","18");
        httpResponse.addCookie(cookie2);
        Cookie cookie3 = new Cookie("addr","beijing");
        httpResponse.addCookie(cookie3);


        httpResponse.setHeader("SameSite","Lax");
        httpResponse.setHeader("Set-Cookie","HttpOnly");
        filterChain.doFilter(httpRequest,httpResponse);
    }
}

如果解决了这2个漏洞,正确的截图如下

图1:

图2:下图红色框上面的也有三个set-cookie属性,分别有三个cookie,但是后面没有httponly和samesite属性。原因我在代码里模拟了客户端发送请求里放了三个cookie。这是第一次请求时添加的heeader属性,红色框里是第二次请求request才把三个cookie带过来,所以才有这2个属性。大家可以看后面附的正确解决方案的代码

图3:

正确方案的代码如下:

package com.lsl.mylsl.filter;

import org.springframework.http.HttpHeaders;
import org.springframework.http.ResponseCookie;
import org.springframework.stereotype.Component;

import javax.servlet.*;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Component
public class CookieFilter implements Filter {


    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;

        //这里模拟下浏览器发送请求中包含三个cookie,
        // 因为后端在request中无法添加cookie,咱们就先添加到response中,
        //第一次请求把三个cookie带到客户端,再请求时浏览器就把这三个cookie带过来了
        Cookie cookie1 = new Cookie("name","lsl");
        httpResponse.addCookie(cookie1);
        Cookie cookie2 = new Cookie("age","18");
        httpResponse.addCookie(cookie2);
        Cookie cookie3 = new Cookie("addr","beijing");
        httpResponse.addCookie(cookie3);

        String url = httpRequest.getRequestURL().toString();

        Cookie[] cookies = httpRequest.getCookies();
        if (cookies != null){
            StringBuilder sb = new StringBuilder();
            for (Cookie cookie : cookies){
                String cookieName = cookie.getName();
                String cookieValue = cookie.getValue();
                System.out.println("url = " + url + ", cookieName = " + cookieName + ", cookieValue = " + cookieValue);
                ResponseCookie lastCookie = ResponseCookie.from(cookieName, cookieValue).httpOnly(true).sameSite("Lax").build();
                httpResponse.addHeader(HttpHeaders.SET_COOKIE,lastCookie.toString());

            }
        }

        filterChain.doFilter(httpRequest,httpResponse);
    }
}

        发现没有,我正确的解决方案里除了遍历了cookie,添加属性时用的是response.addHeader("Set-cookie",String)方法,而错误的解决方案中用的是response.setHeader("Set-Cookie",String)方法。

        httponly和samesite属性是属于cookie的,所以必须遍历所有cookie,并设置这些相关属性,当然cookie还有其他好多属性(domain,path,maxAge等)。错误方案里只是给响应头添加了属性,所以没法解决这2个漏洞问题。对应请求中有多个cookie,必须用addHeader方法,如果只有一个cookie可以使用setHeader方法。

response.addHeader()和response.setHeader的区别

这2个方法都是给response的header添加属性,但是略有区别,

response.setHeader():如果存在key就替换value

response.addHeader(): 如果key存在也不替换value,而是增加

        这里我先说下Set-Cookie属性,其实是一个cookie对应一个Set-Cookie属性,我开始以为是Set-Cookie里放所有cookie,然后后面的httponly等属性一起修饰前面的cookie。其实不是的,当然如果你一个Set-Cookie属性了前面放了多个cookie,后面的httponly; SameSite=Lax 属性只对第一个cookie生效,这个我测试过了。代码和截图如下:

        

package com.lsl.mylsl.filter;

import org.springframework.http.HttpHeaders;
import org.springframework.stereotype.Component;

import javax.servlet.*;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Component
public class CookieFilter implements Filter {


    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;

        //这里模拟下浏览器发送请求中包含三个cookie,
        // 因为后端在request中无法添加cookie,咱们就先添加到response中,
        //第一次请求把三个cookie带到客户端,再请求时浏览器就把这三个cookie带过来了
        Cookie cookie1 = new Cookie("name","lsl");
        httpResponse.addCookie(cookie1);
        Cookie cookie2 = new Cookie("age","18");
        httpResponse.addCookie(cookie2);
        Cookie cookie3 = new Cookie("addr","beijing");
        httpResponse.addCookie(cookie3);

        String url = httpRequest.getRequestURL().toString();

        Cookie[] cookies = httpRequest.getCookies();
        if (cookies != null){
            StringBuilder sb = new StringBuilder();
            for (Cookie cookie : cookies){
                String cookieName = cookie.getName();
                String cookieValue = cookie.getValue();
                System.out.println("url = " + url + ", cookieName = " + cookieName + ", cookieValue = " + cookieValue);
//                ResponseCookie lastCookie = ResponseCookie.from(cookieName, cookieValue).httpOnly(true).sameSite("Lax").build();
                
                sb.append(cookieName).append("=").append(cookieValue).append(";");
            }
            sb.append("HttpOnly; SameSite=Lax");
            httpResponse.addHeader(HttpHeaders.SET_COOKIE,sb.toString());
        }

        filterChain.doFilter(httpRequest,httpResponse);
    }
}

        

发现只有第一个cookie的httponly和samesite生效了

        我们再说下,response.addHeader("Set-cookie",String)和response.setHeader("Set-Cookie",String)的区别。根据上面的正确代码可以看出,如果采用response.setHeader("Set-Cookie",String),只是把最后一个cookie设置的httponly和sameSite属性生效了。这个2个方法我也都测试过了。

用setHeader方法,只有最后一个cookie生效了,相关的代码和截图如下

package com.lsl.mylsl.filter;

import org.springframework.http.HttpHeaders;
import org.springframework.http.ResponseCookie;
import org.springframework.stereotype.Component;

import javax.servlet.*;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Component
public class CookieFilter implements Filter {


    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;

        //这里模拟下浏览器发送请求中包含三个cookie,
        // 因为后端在request中无法添加cookie,咱们就先添加到response中,
        //第一次请求把三个cookie带到客户端,再请求时浏览器就把这三个cookie带过来了
        Cookie cookie1 = new Cookie("name","lsl");
        httpResponse.addCookie(cookie1);
        Cookie cookie2 = new Cookie("age","18");
        httpResponse.addCookie(cookie2);
        Cookie cookie3 = new Cookie("addr","beijing");
        httpResponse.addCookie(cookie3);

        String url = httpRequest.getRequestURL().toString();

        Cookie[] cookies = httpRequest.getCookies();
        if (cookies != null){
            StringBuilder sb = new StringBuilder();
            for (Cookie cookie : cookies){
                String cookieName = cookie.getName();
                String cookieValue = cookie.getValue();
                System.out.println("url = " + url + ", cookieName = " + cookieName + ", cookieValue = " + cookieValue);
                ResponseCookie lastCookie = ResponseCookie.from(cookieName, cookieValue).httpOnly(true).sameSite("Lax").build();
                httpResponse.setHeader(HttpHeaders.SET_COOKIE,lastCookie.toString());
            }
        }

        filterChain.doFilter(httpRequest,httpResponse);
    }
}

;