jboss对前端的安全问题,默默无闻
https://stackoverflow.com/questions/6037834
-
14-11-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian题
我计划在公共网络上可用的亚马逊上部署jboss 6上的ear应用程序。我需要多个实例,但我不需要群集,elb可以在我的情况下做它的工作。在申请开发期间考虑了OWASP安全指南。但是,我有一个人的问题:默默无闻的安全性。
如何隐瞒我使用jboss的事实?我有自定义错误页面,elb允许仅访问我的应用程序的上下文路径,但是,如果jboss显示任何具有jboss的标题,则担心。在每个实例中使用mod_jk或mod_proxy_ajp在每个实例中都有更安全的是,只需转发请求(这是我想要避免的话,如果不必要)?
关于
其他提示
The principle of security by obscurity doesn't mean that you should try to hide things. Actually, it means just the opposite. Please don't rely on hiding sensitive information, as it doesn't really slow down attackers very much and it creates a false sense of security.
The huge attack surface of a typical JBoss installation means that an attacker is very likely to figure out what you're running. There have been a number of "products" over the years that purport to hide the identity of the technologies you are using using techniques like hiding headers. Yet all an attacker typically has to do is delete a few parameters on the URL to get a full stacktrace that provides enough details to determine products, libraries, versions, etc...
You might throw off a few of the weaker automated scanners with this technique, but not anyone who really targets you. Principles are nice, but they're extremely open to interpretationa and often conflicting. Better to focus on verifying your application against the OWASP Application Security Verification Standard (ASVS).
How can I conceal the fact that I am using JBoss?
Assuming that JBoss sends a response header something like Server: JBoss v1.2.3.4, you could write a Filter that you map to all requests which overwrites this value with some arbitrary text of your choosing, for example:
public class StripHeaderFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
// process the rest of the chain first
filter.doFilter(request, response);
if (response instanceof HttpServletResponse) {
((HttpServletResponse) response).setHeader("Server", "It's a secret");
}
}
