我写了一个代码来解决与servlet之一有关的跨框架脚本缺陷。代码如下 实用程序类
public class VulnerabilityUtil {
public final static String INVALID_REQUEST_TYPE_ERROR = "Invalid Request Type.";
public final static String INVALID_USER_ACCESS = "Access Denied!";
/** Missing HTTP X-Frame-Options Response Header **/
public static void setHTTPXFrameResponseHeader(HttpServletResponse response) {
response.setHeader("X-Frame-Options", "SAMEORIGIN");
}
,然后从AddDelegateServlet调用该方法,例如
VulnerabilityUtil.setHTTPXFrameResponseHeader(response);
现在,在通过互联网搜索后,我设法以某种方式编写了一个如下的测试用例
@Test
public void XFrameOptionsTest() throws ClientProtocolException, IOException {
CloseableHttpClient client = HttpClientBuilder.create().build();
HttpGet request = new HttpGet("http://localhost:5138/alservlet/AddDelegateServlet");
HttpResponse response = client.execute(request);
// only for debugging
System.out.println(request.getRequestLine());
Header headers[] = response.getAllHeaders();
for(Header h:headers){
System.out.println(h.getName() + ": " + h.getValue());
}
assertNotNull("X-Frame-Options header used?", response.getFirstHeader("X-Frame-Options"));
assertTrue("X-Frame-Options: SAMEORIGIN?", "SAMEORIGIN".equals(response.getFirstHeader("X-Frame-Options").getValue()));
}
但是它几乎没有问题
1-我使用的是Apache http客户端,而我们使用的是Websphere服务器。
2-我不知道Websphere是否有与我导致的apache http客户端相似的东西,而不是apache的http客户端。
3-我的测试用例失败,因为assertTrue即使设置了标头也无法获取标头“ X-Frame-Options”,并且可以使用Google开发人员工具进行检查。
响应头
Cache-Control: no-cache, max-age=0, s-maxage=0, must-revalidate, proxy-
revalidate, no-store, private
Content-Language: en-US
Content-Length: 28951
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 22 May 2019 16:08:42 GMT
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Pragma: no-cache
Strict-Transport-Security: max-age=31536000,includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Powered-By: Servlet/3.0
X-XSS-Protection: 1
我想知道如何编写成功的测试用例来解决上述所有问题。
任何帮助或建议将不胜感激。