1. Log Forging
将打印日志的代码删除(干脆直接)
自定义描述错误原因,然后再打印出来。
public static final String NFE = "Failed to parse val. The input is required to be an integer value." String val = request.getParameter("val"); try { int value = Integer.parseInt(val); } catch (NumberFormatException nfe) { log.info(NFE); }
2. Hardcoded Password,密码硬编码
删除硬编码的代码
3. Insecure Submission,不安全的提交
前端界面form设置为method="post"
4. Password in Configuration File
删除关键字password
5. Autocomplete,自动完成功能
表单控件Autocomplete设置为off
6. SQL注入风险
删除排序使用的$
${sidx} ${order}