允許用戶在 HTTP 和 HTTPS 之間跳轉會使應用程序易受會話劫持攻擊。
許多應用程序使用 cookie 來傳輸用戶的會話標識符。在通過 HTTPS 訪問應用程序時,cookie 將受到保護(攻擊者無法截取它們)。但如果開發者允許通過 HTTP 訪問應用程序的非敏感部分,那么會話標識符可能會被竊取。當用戶瀏覽到站點的某個未受保護的部分時,將以明文形式發送包含會話 ID 的 cookie。如果攻擊者截取了信息流,他們將會看到該會話 ID,并利用它來控制用戶會話。
以下示例顯示既使用不安全通道又使用安全通道的配置:
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
\A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL
\A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
\A.*\Z=REQUIRES_INSECURE_CHANNEL
</value>
</property>
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A3 Broken Authentication and Session Management
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A7 Broken Authentication and Session Management
[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A9 Insufficient Transport Layer Protection
[4] Ben Alex Acegi Security - Channel Security
[5] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3405 CAT I
[6] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP3405 CAT I
[7] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 5
[8] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.3
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.7
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8