这是我的cookie代码。
var campaignId ="someCookieValue";
var d = new Date();
d.setTime(d.getTime() + (365*24*60*60*1000)); // SET COOKIE EXPIRY TO 365 days.
var expires = "expires="+ d.toUTCString();
document.cookie = 'campaignId='+ campaignId + "; Domain="+ document.domain + "; path=/; " + expires;
document.cookie = 'sourceUrl='+ window.location.href + ";" + expires;
尝试验证
var campaignId ="someCookieValue";
var d = new Date();
d.setTime(d.getTime() + (365*24*60*60*1000)); // SET COOKIE EXPIRY TO 365 days.
var expires = "expires="+ d.toUTCString();
var value = new RegExp(/^[a-zA-Z0-9-_.:]*$/);
if(value.test(campaignId))
document.cookie = 'campaignId='+ campaignId + "; Domain="+ document.domain + "; path=/; " + expires;
var expression =/[-a-zA-Z0-9@:%_+.~#?&//=]{2,256}.[a-z]{2,4}b(/[-a-zA-Z0-9@:%_+.~#?&//=]*)?/gi;
var pattern = new RegExp(expression);
var cookieValue = window.location.href;
if(cookieValue){
if(value.test(cookieValue)) {
cookieValue = encodeURIComponent(cookieValue);
document.cookie = 'sourceUrl='+ cookieValue + ";" + expires;
}
}
我在document.cookie
上的强化扫描中遇到了问题,就像main.js
中的方法lambda()
在486行的HTTP cookie中包含未验证的数据一样。这启用了Cookie操作攻击,并可能导致其他HTTP响应标头操作攻击,如:cache-poisoning
、cross-site scripting
、cross-user defacement
、page hijacking
或open redirect
。
找到了解决方案。我用一个外部密码Js为我的cookie值添加了密码,并解决了强化扫描问题。
var campaignId ="someCookieValue";
var mySecret ="mysecret";
var d = new Date();
d.setTime(d.getTime() + (365*24*60*60*1000)); // SET COOKIE EXPIRY TO 365 days.
var expires = "expires="+ d.toUTCString();
var mySecret ="mysecret";
var cookieValue = window.location.href;
//Here I added encryption
campaignId = CryptoJS.AES.encrypt(campaignId, mySecret);
cookieValue = CryptoJS.AES.encrypt(cookieValue, mySecret); //end
document.cookie = 'campaignId='+ campaignId + "; Domain="+ document.domain + "; path=/; " + expires;
document.cookie = 'sourceUrl='+ cookieValue + ";" + expires;