网站漏洞扫描发现“same site scripting”漏洞，要如何解决？

答案:2 悬赏:70 手机版

解决时间 2021-02-18 14:12

提问者网友：自食苦果
2021-02-18 05:34

网站漏洞扫描发现有个Same site scripting漏洞，详细报告如下：请帮忙看一下是什么问题？应该怎么解决？谢谢~
Details
Host: localhost.example.com resolves to 127.0.0.1
Description
Tavis Ormandy reported a common DNS misconfiguration that can result in a minor security issue with web applications.
"It's a common and sensible practice to install records of the form "localhost. IN A 127.0.0.1" into nameserver
configurations, bizarrely however, administrators often mistakenly drop the trailing dot, introducing an interesting variation
of Cross-Site Scripting (XSS) I call Same-Site Scripting. The missing dot indicates that the record is not fully qualified,
and thus queries of the form "localhost.example.com" are resolved. While superficially this may appear to be harmless, it
does in fact allow an attacker to cheat the RFC2109 (HTTP State Management Mechanism) same origin restrictions, and
therefore hijack state management data."
Recommendation
It is advised that non-FQ localhost entries be removed from nameserver configurations for domains that host websites
that rely on HTTP state management.

最佳答案

五星知识达人网友：上分大魔王
2021-02-18 05:46

Solution : Disable this script. 这一行说的很清楚了，解决方案就是禁止此脚本。但是根据search.php来看，这貌似是个搜索页，如果禁用的话对功能有影响。所以如果你编码能力不错的话就在页面中添加一些代码，过滤掉<、/之类的跨站利用字符。

全部回答

1楼网友：渡鹤影
2021-02-18 06:57

我。。知。。道加。。我。。私。。聊

我要举报

如以上问答信息为低俗、色情、不良、暴力、侵权、涉及违法等信息，可以点下面链接进行举报！