修改 tomcat 的點選劫持漏洞
一、修改 tomcat 的 web.xml 配置檔案
修改web伺服器配置,添加X-Frame-Options響應頭。指派有如下三種:
1、DENY:不能被嵌入到任何iframe或者frame中
2、SAMEORIGIN:頁面隻能被本站頁面嵌入到iframe或者frame中
3、ALLOW-FROM Uri:隻能被嵌入到指定域名的架構中
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
![關于Tomcat本地提權漏洞情況的通報[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)