服务器安全扫描常见问题处理
一定要过滤单引号!
跳转后逻辑未结束漏洞(success跳转函数加exit)
跨站请求伪造(CSRF)漏洞(检查Referer字段是否是系统域名)
检测到目标URL存在HTTP HOST头攻击漏洞
解决办法:修改nginx.conf
例子:
server {
listen 80 default;
server_name _;
location / {
return 403;
}
}
在目标站点的配置文件还可以增加
if ($http_Host !~* ^www.test.com$)
{
return 403;
}
参考资料:https://www.freesion.com/article/18441013466/
检测到目标主机可能存在 PHP multipart/form-data 远程DOS漏洞
解决办法:./upgrade_php.sh,升级到5.4.41
==========================================================================================
修改nginx的http响应头server字段
进入nginx的安装目录,修改src/http/ngx_http_header_filter_module.c
内容:
static char ngx_http_server_string[] = "Server: nginx" CRLF;
static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
更改为:
static char ngx_http_server_string[] = "Server: X-Web" CRLF;
static char ngx_http_server_full_string[] = "Server:X-Web " CRLF;
编译安装:
[root@localhost nginx-1.8.1]# ./configure --prefix=/usr/local/nginx --with-http_stub_status_module
[root@localhost nginx-1.8.1]# make && make install
curl -I -X GET http://XXXXXXXXXXXXXXX
隐藏响应的server,X-Powered-By
隐藏X-Powered-By
修改 php.ini 文件 设置 expose_php = Off
Thinkphp 修改Library/Think/View.class.php中header('X-Powered-By:ThinkPHP');
修改nginx.conf 在http里面设置
server_tokens off;
==========================================================================================
禁用OPTIONS不安全方法
解决办法:在站点配置文件加入代码
if ($request_method !~* GET|POST) {
return 403;
}
检测到目标站点存在javascript框架库漏洞
解决办法:使用最新的jquery版本
检测到会话cookie中缺少HttpOnly属性
解决办法:修改/usr/local/php/etc/php.ini,设置session.cookie_httponly = 1
#会话 Cookie 中缺少 secure 属性
#解决办法:修改/usr/local/php/etc/php.ini,设置session.cookie_secure = 1
加入这个后,session无效
设置了secure属性的cookie只能用https协议发送给服务器, 如果网站是http的,会导致服务器无法接收到带有secure属性的cookie的值
==========================================================================================
点击劫持:X-Frame-Options未配置
解决办法:在/usr/local/nginx/conf/nginx.conf中http区域加上add_header X-Frame-Options SAMEORIGIN;
404页面不起作用
在/usr/local/nginx/conf/nginx.conf加上 fastcgi_intercept_errors on;
HTTP 响应头 X-Content-Type-Options 缺失漏洞
add_header X-Content-Type-Options "nosniff";
点击劫持:X-Frame-Options未配置
add_header X-Frame-Options "SAMEORIGIN"; 【不能改成deny,改成deny后所有的AJAX无法使用】
检测到目标X-XSS-Protection响应头缺失
add_header X-XSS-Protection "1; mode=block";
检测到目标X-Download-Options响应头缺失
add_header X-Download-Options "noopen";
检测到目标Strict-Transport-Security响应头缺失
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
检测到目标Referrer-Policy响应头缺失
add_header 'Referrer-Policy' 'origin';【不能用origin,否则跳转的referrer有问题,只能跳转到首页】
可以用 origin-when-cross-origin 或者 no-referrer-when-downgrade;
参考网址:https://blog.csdn.net/m0_54434140/article/details/125517292
nginx.conf配置懒人包
fastcgi_intercept_errors on;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "no-referrer-when-downgrade";
#add_header Content-Security-Policy "default-src 'self' ws: 'unsafe-inline' 'unsafe-eval'";
add_header X-Permitted-Cross-Domain-Policies "none";
add_header X-Download-Options "noopen";
=========================================================================================
Apache的配置可以参考以下文件:
https://www.pythonthree.com/how-to-configure-security-headers-in-apache/
https://www.rstk.cn/news/37016.html?action=onClick
浙公网安备 33010602011771号