留言板

  1. 主页
  2. Development
  3. Solving OWASP security vulnerabilities in Liferay 6.0.x

Solving OWASP security vulnerabilities in Liferay 6.0.x

Ionut Negoita,修改在7 年前。

Solving OWASP security vulnerabilities in Liferay 6.0.x

New Member 帖子: 10 加入日期: 12-8-27 最近的帖子
Hi guys,

I see a lot of topics out there regarding cookies and either the HttpOnly flag or the Secure flag. Besides these 2 issues that are security considered vulnerabilities, there are also some missing headers which present vulnerabilities like:

X­Frame­Options Header Not Set
Web Browser XSS Protection Not Enabled
X­Content­Type­Options Header Missing

I have successfully implemented fixes for all these issues and even passed through a security audit verifying the implementation.


Basically you need to create a new filter and add it to the stack of Liferay filters.
Here's a detailed description on how to do this: Solving OWASP security vulnerabilities in Liferay 6.0.x

I would love to hear comments from you guys, maybe if I'm missing something or if you have any questions.

kindest regards,
John (@codingdudecom)
thumbnail
David H Nebinger,修改在7 年前。

RE: Solving OWASP security vulnerabilities in Liferay 6.0.x

Liferay Legend 帖子: 14916 加入日期: 06-9-2 最近的帖子
Thanks for the info.

6.0 is quite a bit dated, have you considered upgrading to a newer version that supports all of the new browsers?
Ionut Negoita,修改在7 年前。

RE: Solving OWASP security vulnerabilities in Liferay 6.0.x

New Member 帖子: 10 加入日期: 12-8-27 最近的帖子
Hi David,

yes, it is outdated, and we did try to upgrade to Liferay 7. I've seen your article about OSGI modules and added a comment and another forum topic regarding the challenges we had with that. Bottom line is that we stopped trying to do that since it was becoming too expensive for us considering we did not get very far.
Probably an attempt to upgrade to version 6.2 should have been the course.
thumbnail
David H Nebinger,修改在7 年前。

RE: Solving OWASP security vulnerabilities in Liferay 6.0.x

Liferay Legend 帖子: 14916 加入日期: 06-9-2 最近的帖子
6.2 will bring you forward, certainly, and these OWASP issues may already be resolved.

LR7 migration is going to be challenging for all of us because of the underlying and significant changes. We're all in the same boat there, so we're all learning the ropes at the same time, Ionut.

Don't give up, though, I'm sure you can make the change work...