打开APP
userphoto
未登录

开通VIP,畅享免费电子书等14项超值服

开通VIP
天天财富理财系统综合安全报告
综合安全报告
AppScan:Web 应用程序安全报告
目录
文档映射                                                                                                               4
介绍                                                                                                                       5
目标                                                                                                                       5
管理摘要报告                                                                                                       6
问题的数量(全部  19 )                                                                                                                         6
问题的数量(按照“测试类型”)                                                                                                                 7
有漏洞的 URL 和无漏洞的 URL 比较                                                                                                   10
修复任务数量                                                                                                                                            11
详细摘要                                                                                                             12
问题类型                                                                                                                                                   12
修复任务                                                                                                                                                   13
有漏洞的 URL                                                                                                                                          14
漏洞详细信息                                                                                                     15
严重性为高的“问题类型”                                                                                                                          15
严重性为中的“问题类型”                                                                                                                          16
严重性为低的“问题类型”                                                                                                                          17
严重性为参考信息的“问题类型”                                                                                                               18
测试策略                                                                                                                                                   20
详细的修复任务                                                                                                 21
高优先级修复任务                                                                                                                                    21
中优先级修复任务                                                                                                                                    23
低优先级修复任务                                                                                                                                    25
应用程序数据                                                                                                     27
参数                                                                                                                                                          27
失败请求                                                                                                                                                   27
JavaScript                                                                                                                                                28
注释                                                                                                                                                          28
cookie                                                                                                                                                      28
应用程序 URL                                                                                                                                          28
文档映射
该报告包含以下部分:
§  介绍和目标
有关扫描的一般信息,包含项目名称、扫描的目的等。
§  管理摘要报告
在扫描期间收集的信息的高级别视图,通常使用图表或比较数字。
§该部分旨在提供对应用程序安全状态的一般了解。
§
§  详细摘要
扫描结果的详细列表,包含找到的所有问题类型、建议的所有修复任务和全部有漏洞的 URL 等。该部分旨在提供对应用程序安全状态更详细的了解,同时也有助于对修复找到的问题所需工作进行作用域限定和优先级划分。
§
§  漏洞详细信息
针对每个问题,该部分包含所有相关的详细信息,包括详细的安全咨询、所有变体、受影响的 URL 和修订建议。
§该部分用于认识不同问题的性质和影响,并指导修复。
§
§  应用程序信息
AppScan 显示的有关应用程序的详细信息,例如:发现的页面、测试的脚本参数等。
§该部分用于了解扫描的覆盖范围,因为只测试了在应用程序数据中详细描述的区域。
§
介绍
该报告会保留由 [公司名称] 安全小组在 [赋值名] 应用程序上执行的 Web 应用程序安全扫描的结果。
扫描显示了该应用程序中 0 严重性为高的安全问题、0 严重性为中的安全问题和 19 严重性为低的安全问题。
该“管理综合报告”和“详细摘要”已整合查找结果。其他信息包含在该报告的“漏洞详细信息”部分。
目标
[公司名称] 安全小组在 Web 应用程序上执行实时安全评估。这些评估旨在显示已扫描的 Web 应用程序中的任何安全性问题,解释与找到的问题相关联的影响和风险,和提供优先级划分和修复步骤的准则,
该赋值的目标是执行控制的攻击和穿透活动,以评估 [赋值名] Web 应用程序的整体安全级别。
应用程序的访问凭证和/或应用程序概述已提供/未提供给 [公司名称] 安全小组。
该报告包含从已授权/未授权攻击者的角度,对 [赋值名] 应用程序所进行的测试。
管理摘要报告
问题的数量(全部  19 )
问题的数量(按照“测试类型”)
类型
有漏洞的 URL
应用程序
16
基础结构
1
第三方 Web 组件
2
总计
19
安全性问题(按照“分类”)
安全性问题(按照“问题类型”)
有漏洞的 URL 和无漏洞的 URL 比较
修复任务数量
详细摘要
高严重性问题
问题类型
问题(所有严重性)
中等级别的安全性问题
问题类型
问题(所有严重性)
低级别严重性问题
问题类型
问题(所有严重性)
SRI (Subresource Integrity) 的检查
2
启用了不安全的“OPTIONS”HTTP 方法
1
缺少“Content-Security-Policy”头
5
缺少“X-Content-Type-Options”头
5
缺少“X-XSS-Protection”头
5
自动填写未对密码字段禁用的 HTML 属性
1
参考信息严重性问题
问题类型
问题(所有严重性)
修复任务
修复任务
计数
优先级
将“autocomplete”属性正确设置为“off”
1
Low
将您的服务器配置为使用“Content-Security-Policy”头
5
Low
将您的服务器配置为使用“X-Content-Type-Options”头
5
Low
将您的服务器配置为使用“X-XSS-Protection”头
5
Low
将每个第三方脚本/链接元素支持添加到 SRI(Subresource Integrity)。
2
Low
禁用 WebDAV,或者禁止不需要的 HTTP 方法。
1
Low
有漏洞的 URL
URL
问题(类型)
修复任务(类型)
http://10.1.20.137:8085/js/respond.min.js
3 (3)
3 (3)
http://10.1.20.137:8085/js/jquery.toaster.js
3 (3)
3 (3)
http://10.1.20.137:8085/js/header.js
3 (3)
3 (3)
http://10.1.20.137:8085/js/footer.js
3 (3)
3 (3)
http://10.1.20.137:8085/js/bootstrap.min.js
3 (3)
3 (3)
http://10.1.20.137:8085/tomain
1 (1)
1 (1)
http://10.1.20.137:8085/tologin
2 (2)
2 (2)
http://10.1.20.137:8085/
1 (1)
1 (1)
漏洞详细信息
严重性为高的“问题类型”
严重性为中的“问题类型”
严重性为低的“问题类型”
SRI (Subresource Integrity) 的检查 (1/6)
咨询和修订建议
远程文件包含
来自其他域的脚本和链接标标签标记不支持完整性检查。
如果包含脚本的服务出现弱点,则这一点可能被利用。、
不支持 SRI 的样本脚本元素:
<scriptsrc="https://example.com/example-framework.js"
crossorigin="anonymous"></script>
支持 SRI 的样本脚本元素:
<scriptsrc="https://example.com/example-framework.js"
integrity="sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7"
crossorigin="anonymous"></script>
user-agent 无法通过第三方服务来验证脚本。
如果是第三方服务出现弱点,那么用户无法受到保护。
FrontPage 服务器扩展:安全考虑
解释
SRI 支持
SRI (Subresource Integrity) 的检查
不支持子资源完整性。
该问题可能会影响各种类型的产品。
受影响的 URL
§  http://10.1.20.137:8085/tologin
§  http://10.1.20.137:8085/tomain
问题 1/2( http://10.1.20.137:8085/tomain - tomain )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
第三方链接/脚本没有浏览器的完整性属性来确认它们未被破坏。
变体验证
变体请求响应
GET /tomain HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer:http://10.1.20.137:8085/tologin
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
x-ua-compatible:IE=edge
Transfer-Encoding:chunked
cache-control:no-transform
Content-Language:en-US
Date:Fri, 11 Oct 2019 01:27:19 GMT
Content-Type:text/html;charset=UTF-8
<!DOCTYPEhtml>
<htmllang="zh-CN">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta http-equiv="Cache-Control"content="no-transform">
<title>index</title>
<link rel="shortcut icon"href="/Public/img/favicon.ico"/>
<link href="/css/bootstrap.css" rel="stylesheet">
<link href="/css/main.css" rel="stylesheet"type="text/css" />
<link href="/css/index.css" rel="stylesheet"type="text/css" />
<link href="/css/detail.css" rel="stylesheet"type="text/css" />
<link href="/css/user.css" rel="stylesheet"type="text/css" />
<link href="/css/announcement.css" rel="stylesheet"type="text/css" />
<link href="/css/bootstrap-datetimepicker.min.css"rel="stylesheet" type="text/css" />
<link rel="stylesheet" href="/css/index1.css" />
<script src="/js/html5shiv.min.js"></script>
<script src="/js/respond.min.js"></script>
<script src="/js/jquery.min.js"></script>
<script>
var rootUrl = '';
</script>
<script type="text/javascript"src="/js/jquery-2.1.4/jquery.js"></script>
<script type="text/javascript">
$(function(){
$("#but1").click(function(){//点击
confirm("暂未登录,是否登录?");
});
$("#but2").click(function(){//点击
confirm("暂未开户,是否进行开户?");
});
})
</script>
</head>
<body>
<divclass="home">
<header class="header">
<nav class="navbar navbar-default navbar-fixed-top">
<div class="container">
<div class="row">
<div class="hidden-xs hidden-sm col-md-3 col-lg-3">
<div class="navbar-header navbar-left">
<a class="navbar-brand-mc" href="/">
<img src="picture/milogo.png" alt="logo"/>
</a>
<a class="company-name">钱多多金融</a>
</div>
</div>
<div class="hidden-xs col-sm-5 col-md-4 col-lg-4">
<div id="navbar" class="navbar-collapse collapse">
<ul class="nav navbar-navpull-right head-list">
<li id="nav-index"></li>
<!--通过后台跳转页面 -->
<li></li>
<li></li>
</ul>
</div>
</div>
<div class="hidden-xs col-sm-7 col-md-5 col-lg-5">
<div id="navbar" class="navbar-collapsecollapse">
<ul class="nav navbar-navpull-right head-list">
<li><a></a></li>
<li id="nav-index"><a href="/tologin">登录/注册</a></li>
<li id="nav-index"></li>
</ul>
</div>
</div>
</div>
</div>
</nav>
</header>
<div class="content">
<div class="wrapper">
</div>
<div class="home-page container">
<div class="row">
<div class="col-xs-12 col-sm-12 col-md-12 col-lg-12">
<!--BEGIN NEW COURSES-->
<div class="section section-carousel">
<h4>产品推荐</h4>
<div id="carousel-example-generic" class="carouselslide" data-ride="carousel">
<!-- Indicators -->
<ol class="carousel-indicators">
<li data-target="#carousel-example-generic" data-slide-to="0"class="active"></li>
<li data-target="#carousel-example-generic" data-slide-to="1"></li>
<!--<lidata-target="#carousel-example-generic"data-slide-to="2"></li>-->
</ol>
<!-- Wrapper for slides -->
<div class="carousel-inner" role="listbox">
<divclass="item active">
<div class="row">
<div class="col-xs-12 col-sm-6 col-md-4 col-lg-4">
<div class="jumbotron goods-detail">
<span style="padding-left:38px;">[新手标]凤储计划-</span>
<span style="padding-left:53px;">20180829011</span>
...
问题 2/2( http://10.1.20.137:8085/tologin - tologin )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
第三方链接/脚本没有浏览器的完整性属性来确认它们未被破坏。
变体验证
变体请求响应
GET /tologin HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
x-ua-compatible:IE=edge
Transfer-Encoding:chunked
cache-control:no-transform
Content-Language:en-US
Date:Fri, 11 Oct 2019 01:27:04 GMT
Content-Type:text/html;charset=UTF-8
<!DOCTYPEhtml>
<htmllang="zh-CN">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta http-equiv="Cache-Control"content="no-transform">
<title>login</title>
<link rel="shortcut icon"href="/Public/img/favicon.ico"/>
<link href="/css/bootstrap.css" rel="stylesheet">
<link href="/css/main.css" rel="stylesheet"type="text/css" />
<link href="/css/index.css" rel="stylesheet"type="text/css" />
<link href="/css/detail.css" rel="stylesheet"type="text/css" />
<link href="/css/user.css" rel="stylesheet"type="text/css" />
<link href="/css/announcement.css" rel="stylesheet"type="text/css" />
<link href="/css/bootstrap-datetimepicker.min.css"rel="stylesheet" type="text/css" />
<link rel="stylesheet" href="/css/login.css" />
<script src="/js/html5shiv.min.js"></script>
<script src="/js/respond.min.js"></script>
<script src="/js/jquery.min.js"></script>
<script>
var rootUrl = '';
</script>
<script type="text/javascript">
$(function(){
$("#but").click(function(){
$.ajax({
url:"/checkLogin",
type:"post",
dataType:"json",
data:{
"admin":$("#username").val(),
"password":$("#login-password").val(),
},
success:function(data){
if(data.mess){
location.href="/tomain";
}
else{
$("#f1").html("用户名或密码输入错误");
}
},
error:function(data){
alert("请填写正确信息!!!");
}
});
});
/*注册 */
/*先验证用户名是否存在*/
varflag;
$("#regadmin").blur(function(){
$.ajax({
url:"/checkRegister",
type:"post",
dataType:"json",
data:{
"admin":$("#regadmin").val(),
},
success:function(data){
if(data.mess){
flag=data.mess;
$("#f2").html("用户名已存在,请重新输入");
}
},
error:function(data){
alert("请填写正确信息!!!");
}
})
/*获取焦点的时候 */
$("#regadmin").focus(function(){
$("#f2").html("");
})
/*点击获取验证码的时候 */
varhash;
vartamp;
varwait=60;
$("#verify_refresh").click(function(){
$.ajax({
dataType:"json",
type:"post",
url:"/sendMsg",
data:{"telephone":$("#telephone").val()},
xhrFields: {
withCredentials: true
},
success: function (data) {
hash = data.hash;
tamp = data.tamp;
},
error: function (data) {
alert("请填写正确信息!!!");
}
});
})
/*设置时间 */
functionsetButtonStatus(that) {
if (wait == 0) {
that.removeAttribute("disabled");
that.value="免费获取验证码";
wait = 60;
} else {
that.setAttribute("disabled", true);
that.value=wait+"秒后可以重新发送";
wait--;
setTimeout(function() {
setButtonStatus(that)
}, 1000)
}
}
/*点击注册 */
$("#butregster").click(function(){
$.ajax({
dataType:"json",
type:"post",
url:"/validate",
data:{
"msgNum":$("#register-password").val(),/*验证码 */
"hash":hash,
"tamp":tamp,
"telphone":$("#telephone").val(),
"admin":$("#regadmin").val(),/*用户名 */
"password":$("#registerPassword").val()/*密码 */
},
success: function (data) {
if(data.flag){
location.href="/tologin";
}else{
alert("验证码错误或超时");
}
},
error: function (data) {
alert("请填写正确信息!!!");
}
});
})
})
})
</script>
</head>
<body>
<divclass="home">
<header class="header">
<nav class="navbar navbar-default navbar-fixed-top">
<div class="container">
<div class="row">
<div class="hidden-xs hidden-sm col-md-3 col-lg-3">
<div class="navbar-header navbar-left">
<a class="navbar-brand-mc" href="/tomain">
<img src="/picture/milogo.png" alt="logo"/>
<h4 class="company-name">钱多多金融</h4>
</a>
</div>
</div>
</div>
</div>
</nav>
</header>
<div class="content">
<div class="wrapper">
<div class="container">
<div class="row">
<div class="wrapper-intro col-xs-0 col-sm-6 col-md-8 col-lg-8">
<img src="/picture/milogo.png"/>
<br/>
...
启用了不安全的“OPTIONS”HTTP 方法 (2/6)
咨询和修订建议
内容电子欺骗
似乎 Web 服务器配置成允许下列其中一个(或多个)HTTP 方法(动词):
- DELETE
- SEARCH
- COPY
- MOVE
- PROPFIND
- PROPPATCH
- MKCOL
- LOCK
- UNLOCK
- PUT
这些方法可能表示在服务器上启用了 WebDAV,可能允许未授权的用户对其进行利用。
可能会在 Web 服务器上上载、修改或删除 Web 页面、脚本和文件
WASC 威胁分类:内容电子欺骗
启用了不安全的“OPTIONS”HTTP 方法
启用了不安全的“OPTIONS”HTTP 方法
Web 服务器或应用程序服务器是以不安全的方式配置的
该问题可能会影响各种类型的产品
受影响的 URL
§  http://10.1.20.137:8085/
问题 1/1( http://10.1.20.137:8085/ - / )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
· 已将路径设置为“/”
· 已将方法设置为“OPTIONS”
变体原因
Allow 头显示危险的 HTTP 选项是已允许的,这表示在服务器上启用了 WebDAV。
变体验证
· Allow: GET, HEAD,POST, PUT, DELETE, TRACE, OPTIONS, PATCH
变体请求响应
OPTIONS / HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1404
Content-Length:306
Content-Language:en-US
Date:Fri, 11 Oct 2019 01:33:04 GMT
Content-Type:text/html;charset=UTF-8
Allow:GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
<html><body><h1>WhitelabelError Page</h1><p>This application has no explicit mapping for/error, so you are seeing this as a fallback.</p><divid='created'>Fri Oct 11 09:33:05 CST 2019</div><div>There was anunexpected error (type=Not Found, status=404).</div><div>No messageavailable</div></body></html>
缺少“Content-Security-Policy”头 (3/6)
咨询和修订建议
信息泄露
“Content-Security-Policy”头设计用于修改浏览器渲染页面的方式,并因此排除各种跨站点注入,包括跨站点脚本编制。以不会阻止 web 站点的正确操作的方式正确地设置头值就非常的重要。例如,如果头设置为阻止内联 JavaScript 的执行,那么 web 站点不得在其页面中使用内联 JavaScript。
可能会收集有关 Web 应用程序的敏感信息,如用户名、密码、机器名和/或敏感文件位置
有用 HTTP头的列表
内容安全策略的简介
缺少“Content-Security-Policy”头
缺少“Content-Security-Policy”头
Web 应用程序编程或配置不安全
该问题可能会影响各种类型的产品
受影响的 URL
§  http://10.1.20.137:8085/js/bootstrap.min.js
§  http://10.1.20.137:8085/js/footer.js
§  http://10.1.20.137:8085/js/header.js
§  http://10.1.20.137:8085/js/jquery.toaster.js
§  http://10.1.20.137:8085/js/respond.min.js
问题 1/5( http://10.1.20.137:8085/js/footer.js - footer.js )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
AppScan 检测到 Content-Security-Policy 响应头缺失,这可能会更大程度得暴露于各种跨站点注入攻击下之
变体验证
变体请求响应
GET /js/footer.js HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer:http://10.1.20.137:8085/tologin
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
Last-Modified:Thu, 01 Aug 2019 06:24:43 GMT
Accept-Ranges:bytes
Content-Length:1163
Date:Fri, 11 Oct 2019 01:27:10 GMT
Content-Type:application/javascript
/**
*Created by cpc on 12/27/15.
*/
functionnoticeInfo(content) {
$.toaster({ title : content, priority : 'info', message : ')' });
}
functionnoticeWarning(content) {
$.toaster({ title : content, priority : 'warning', message : '(' });
}
functionsendEmail() {
$.ajax({
type: 'post',
url: rootUrl+'/feedback/sendEmail',
success: function() {}
});
}
$(document).ready(function(){
$('#send-feedback').click(function() {
var content = $('#feedback-content').val().trim();
if (content == '') {
noticeWarning('反馈不能为空');
return;
}
var data = {
content: content
};
$.ajax({
type: 'post',
url: rootUrl+'/feedback',
data: data,
success: function(status) {
if (status > 0) {
sendEmail();
noticeInfo('反馈成功');
$('#modal-feedback').modal('hide');
} else if (status == 0) {
$.toaster({ title : '还没登录喔~', priority : 'danger', message : '(' });
} else {
$.toaster({ title : '出错啦,请稍候再试~', priority : 'danger', message : '(' });
}
}
});
});
});
问题 2/5( http://10.1.20.137:8085/js/respond.min.js - respond.min.js )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
AppScan 检测到 Content-Security-Policy 响应头缺失,这可能会更大程度得暴露于各种跨站点注入攻击下之
变体验证
变体请求响应
GET /js/respond.min.js HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer:http://10.1.20.137:8085/tologin
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
Last-Modified:Thu, 01 Aug 2019 06:24:43 GMT
Accept-Ranges:bytes
Content-Length:4377
Date:Fri, 11 Oct 2019 01:27:08 GMT
Content-Type:application/javascript
/*!Respond.js v1.4.2: min/max-width media query polyfill * Copyright 2013 ScottJehl
*Licensed under https://github.com/scottjehl/Respond/blob/master/LICENSE-MIT
* */
!function(a){"usestrict";a.matchMedia=a.matchMedia||function(a){var b,c=a.documentElement,d=c.firstElementChild||c.firstChild,e=a.createElement("body"),f=a.createElement("div");returnf.id="mq-test-1",f.style.cssText="position:absolute;top:-100em",e.style.background="none",e.appendChild(f),function(a){returnf.innerHTML='&shy;<style media="'+a+'"> #mq-test-1 { width:42px;}</style>',c.insertBefore(e,d),b=42===f.offsetWidth,c.removeChild(e),{matches:b,media:a}}}(a.document)}(this),function(a){"usestrict";function b(){u(!0)}var c={};a.respond=c,c.update=function(){};vard=[],e=function(){var b=!1;try{b=new a.XMLHttpRequest}catch(c){b=newa.ActiveXObject("Microsoft.XMLHTTP")}return function(){returnb}}(),f=function(a,b){varc=e();c&&(c.open("GET",a,!0),c.onreadystatechange=function(){4!==c.readyState||200!==c.status&&304!==c.status||b(c.responseText)},4!==c.readyState&&c.send(null))};if(c.ajax=f,c.queue=d,c.regex={media:/@media[^\{]+\{([^\{\}]*\{[^\}\{]*\})+/gi,keyframes:/@(?:\-(?:o|moz|webkit)\-)?keyframes[^\{]+\{(?:[^\{\}]*\{[^\}\{]*\})+[^\}]*\}/gi,urls:/(url\()['"]?([^\/\)'"][^:\)'"]+)['"]?(\))/g,findStyles:/@media*([^\{]+)\{([\S\s]+?)$/,only:/(only\s+)?([a-zA-Z]+)\s?/,minw:/\([\s]*min\-width\s*:[\s]*([\s]*[0-9\.]+)(px|em)[\s]*\)/,maxw:/\([\s]*max\-width\s*:[\s]*([\s]*[0-9\.]+)(px|em)[\s]*\)/},c.mediaQueriesSupported=a.matchMedia&&null!==a.matchMedia("onlyall")&&a.matchMedia("onlyall").matches,!c.mediaQueriesSupported){varg,h,i,j=a.document,k=j.documentElement,l=[],m=[],n=[],o={},p=30,q=j.getElementsByTagName("head")[0]||k,r=j.getElementsByTagName("base")[0],s=q.getElementsByTagName("link"),t=function(){vara,b=j.createElement("div"),c=j.body,d=k.style.fontSize,e=c&&c.style.fontSize,f=!1;returnb.style.cssText="position:absolute;font-size:1em;width:1em",c||(c=f=j.createElement("body"),c.style.background="none"),k.style.fontSize="100%",c.style.fontSize="100%",c.appendChild(b),f&&k.insertBefore(c,k.firstChild),a=b.offsetWidth,f?k.removeChild(c):c.removeChild(b),k.style.fontSize=d,e&&(c.style.fontSize=e),a=i=parseFloat(a)},u=function(b){varc="clientWidth",d=k[c],e="CSS1Compat"===j.compatMode&&d||j.body[c]||d,f={},o=s[s.length-1],r=(newDate).getTime();if(b&&g&&p>r-g)returna.clearTimeout(h),h=a.setTimeout(u,p),void 0;g=r;for(var v inl)if(l.hasOwnProperty(v)){varw=l[v],x=w.minw,y=w.maxw,z=null===x,A=null===y,B="em";x&&(x=parseFloat(x)*(x.indexOf(B)>-1?i||t():1)),y&&(y=parseFloat(y)*(y.indexOf(B)>-1?i||t():1)),w.hasquery&&(z&&A||!(z||e>=x)||!(A||y>=e))||(f[w.media]||(f[w.media]=[]),f[w.media].push(m[w.rules]))}for(varC in n)n.hasOwnProperty(C)&&n[C]&&n[C].parentNode===q&&q.removeChild(n[C]);n.length=0;for(varD in f)if(f.hasOwnProperty(D)){varE=j.createElement("style"),F=f[D].join("\n");E.type="text/css",E.media=D,q.insertBefore(E,o.nextSibling),E.styleSheet?E.styleSheet.cssText=F:E.appendChild(j.createTextNode(F)),n.push(E)}},v=function(a,b,d){vare=a.replace(c.regex.keyframes,"").match(c.regex.media),f=e&&e.length||0;b=b.substring(0,b.lastIndexOf("/"));varg=function(a){returna.replace(c.regex.urls,"$1"+b+"$2$3")},h=!f&&d;b.length&&(b+="/"),h&&(f=1);for(vari=0;f>i;i++){var j,k,n,o;h?(j=d,m.push(g(a))):(j=e[i].match(c.regex.findStyles)&&RegExp.$1,m.push(RegExp.$2&&g(RegExp.$2))),n=j.split(","),o=n.length;for(varp=0;o>p;p++)k=n[p],l.push({media:k.split("(")[0].match(c.regex.only)&&RegExp.$2||"all",rules:m.length-1,hasquery:k.indexOf("(")>-1,minw:k.match(c.regex.minw)&&parseFloat(RegExp.$1)+(RegExp.$2||""),maxw:k.match(c.regex.maxw)&&parseFloat(RegExp.$1)+(RegExp.$2||"")})}u()},w=function(){if(d.length){varb=d.shift();f(b.href,function(c){v(c,b.href,b.media),o[b.href]=!0,a.setTimeout(function(){w()},0)})}},x=function(){for(varb=0;b<s.length;b++){varc=s[b],e=c.href,f=c.media,g=c.rel&&"stylesheet"===c.rel.toLowerCase();e&&g&&!o[e]&&(c.styleSheet&&c.styleSheet.rawCssText?(v(c.styleSheet.rawCssText,e,f),o[e]=!0):(!/^([a-zA-Z:]*\/\/)/.test(e)&&!r||e.replace(RegExp.$1,"").split("/")[0]===a.location.host)&&("//"===e.substring(0,2)&&(e=a.location.protocol+e),d.push({href:e,media:f})))}w()};x(),c.update=x,c.getEmValue=t,a.addEventListener?a.addEventListener("resize",b,!1):a.attachEvent&&a.attachEvent("onresize",b)}}(this);
问题 3/5( http://10.1.20.137:8085/js/header.js - header.js )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
AppScan 检测到 Content-Security-Policy 响应头缺失,这可能会更大程度得暴露于各种跨站点注入攻击下之
变体验证
变体请求响应
GET /js/header.js HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer:http://10.1.20.137:8085/tologin
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
Last-Modified:Thu, 01 Aug 2019 06:24:43 GMT
Accept-Ranges:bytes
Content-Length:1023
Date:Fri, 11 Oct 2019 01:27:10 GMT
Content-Type:application/javascript
/**
*Created by soujing on 12/27/15.
*/
$(document).ready(function(){
$.get(
rootUrl + "/Index/checkLogin",
{},
function(data){
if(data){
loginNav();
}
else{
$(".logout").parent().remove();
}
}
)
})
functionloginNav(){
$.get(
rootUrl + "/User/getLoginInit",
{},
function(data){
var mesNum = data['mes_num'];
var userName = data['name'];
var userIcon = data['icon'];
var isRead = data['read'];
if(mesNum != 0){
var mesSpan = ' <span class="badge"> '+ mesNum +'</span>';
$("#nav-messages").append(mesSpan);
}
if(!isRead){
var redPoint = '<div class="red-point"></div>';
$("#nav-notice").children("a").append(redPoint);
$("#xs-nav-notice").children("a").append(redPoint);
}
}
)
}
问题 4/5( http://10.1.20.137:8085/js/bootstrap.min.js -bootstrap.min.js )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
AppScan 检测到 Content-Security-Policy 响应头缺失,这可能会更大程度得暴露于各种跨站点注入攻击下之
变体验证
变体请求响应
GET /js/bootstrap.min.js HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer:http://10.1.20.137:8085/tologin
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
Last-Modified:Thu, 01 Aug 2019 06:24:43 GMT
Accept-Ranges:bytes
Content-Length:36816
Date:Fri, 11 Oct 2019 01:27:10 GMT
Content-Type:application/javascript
/*!
*Bootstrap v3.3.5 (http://getbootstrap.com)
*Copyright 2011-2015 Twitter, Inc.
*Licensed under the MIT license
*/
if("undefined"==typeofjQuery)throw new Error("Bootstrap's JavaScript requiresjQuery");+function(a){"use strict";varb=a.fn.jquery.split("")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1)thrownew Error("Bootstrap's JavaScript requires jQuery version 1.9.1 orhigher")}(jQuery),+function(a){"use strict";function b(){vara=document.createElement("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEndotransitionend",transition:"transitionend"};for(var c inb)if(void 0!==a.style[c])return{end:b[c]};return!1}a.fn.emulateTransitionEnd=function(b){varc=!1,d=this;a(this).one("bsTransitionEnd",function(){c=!0});vare=function(){c||a(d).trigger(a.support.transition.end)};returnsetTimeout(e,b),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.special.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.support.transition.end,handle:function(b){returna(b.target).is(this)?b.handleObj.handler.apply(this,arguments):void0}})})}(jQuery),+function(a){"use strict";function b(b){returnthis.each(function(){varc=a(this),e=c.data("bs.alert");e||c.data("bs.alert",e=newd(this)),"string"==typeof b&&e[b].call(c)})}varc='[data-dismiss="alert"]',d=function(b){a(b).on("click",c,this.close)};d.VERSION="3.3.5",d.TRANSITION_DURATION=150,d.prototype.close=function(b){functionc(){g.detach().trigger("closed.bs.alert").remove()}vare=a(this),f=e.attr("data-target");f||(f=e.attr("href"),f=f&&f.replace(/.*(?=#[^\s]*$)/,""));varg=a(f);b&&b.preventDefault(),g.length||(g=e.closest(".alert")),g.trigger(b=a.Event("close.bs.alert")),b.isDefaultPrevented()||(g.removeClass("in"),a.support.transition&&g.hasClass("fade")?g.one("bsTransitionEnd",c).emulateTransitionEnd(d.TRANSITION_DURATION):c())};vare=a.fn.alert;a.fn.alert=b,a.fn.alert.Constructor=d,a.fn.alert.noConflict=function(){returna.fn.alert=e,this},a(document).on("click.bs.alert.data-api",c,d.prototype.close)}(jQuery),+function(a){"usestrict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.button"),f="object"==typeofb&&b;e||d.data("bs.button",e=newc(this,f)),"toggle"==b?e.toggle():b&&e.setState(b)})}varc=function(b,d){this.$element=a(b),this.options=a.extend({},c.DEFAULTS,d),this.isLoading=!1};c.VERSION="3.3.5",c.DEFAULTS={loadingText:"loading..."},c.prototype.setState=function(b){varc="disabled",d=this.$element,e=d.is("input")?"val":"html",f=d.data();b+="Text",null==f.resetText&&d.data("resetText",d[e]()),setTimeout(a.proxy(function(){d[e](null==f[b]?this.options[b]:f[b]),"loadingText"==b?(this.isLoading=!0,d.addClass(c).attr(c,c)):this.isLoading&&(this.isLoading=!1,d.removeClass(c).removeAttr(c))},this),0)},c.prototype.toggle=function(){vara=!0,b=this.$element.closest('[data-toggle="buttons"]');if(b.length){varc=this.$element.find("input");"radio"==c.prop("type")?(c.prop("checked")&&(a=!1),b.find(".active").removeClass("active"),this.$element.addClass("active")):"checkbox"==c.prop("type")&&(c.prop("checked")!==this.$element.hasClass("active")&&(a=!1),this.$element.toggleClass("active")),c.prop("checked",this.$element.hasClass("active")),a&&c.trigger("change")}elsethis.$element.attr("aria-pressed",!this.$element.hasClass("active")),this.$element.toggleClass("active")};vard=a.fn.button;a.fn.button=b,a.fn.button.Constructor=c,a.fn.button.noConflict=function(){returna.fn.button=d,this},a(document).on("click.bs.button.data-api",'[data-toggle^="button"]',function(c){vard=a(c.target);d.hasClass("btn")||(d=d.closest(".btn")),b.call(d,"toggle"),a(c.target).is('input[type="radio"]')||a(c.target).is('input[type="checkbox"]')||c.preventDefault()}).on("focus.bs.button.data-apiblur.bs.button.data-api",'[data-toggle^="button"]',function(b){a(b.target).closest(".btn").toggleClass("focus",/^focus(in)?$/.test(b.type))})}(jQuery),+function(a){"usestrict";function b(b){return this.each(function(){vard=a(this),e=d.data("bs.carousel"),f=a.extend({},c.DEFAULTS,d.data(),"object"==typeofb&&b),g="string"==typeofb?b:f.slide;e||d.data("bs.carousel",e=new c(this,f)),"number"==typeofb?e.to(b):g?e[g]():f.interval&&e.pause().cycle()})}varc=function(b,c){this.$element=a(b),this.$indicators=this.$element.find(".carousel-indicators"),this.options=c,this.paused=null,this.sliding=null,this.interval=null,this.$active=null,this.$items=null,this.options.keyboard&&this.$element.on("keydown.bs.caro...
问题 5/5( http://10.1.20.137:8085/js/jquery.toaster.js -jquery.toaster.js )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
AppScan 检测到 Content-Security-Policy 响应头缺失,这可能会更大程度得暴露于各种跨站点注入攻击下之
变体验证
变体请求响应
GET /js/jquery.toaster.js HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer:http://10.1.20.137:8085/tologin
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
Last-Modified:Thu, 01 Aug 2019 06:24:43 GMT
Accept-Ranges:bytes
Content-Length:5450
Date:Fri, 11 Oct 2019 01:27:10 GMT
Content-Type:application/javascript
/***********************************************************************************
*AddArray.indexOf                                                               *
***********************************************************************************/
(function()
{
if (typeof Array.prototype.indexOf !== 'function')
{
Array.prototype.indexOf = function(searchElement, fromIndex)
{
for (var i = (fromIndex || 0), j = this.length; i < j; i += 1)
{
if ((searchElement === undefined) || (searchElement === null))
{
if (this[i] === searchElement)
{
return i;
}
}
else if (this[i] === searchElement)
{
returni;
}
}
return -1;
};
}
})();
/**********************************************************************************/
(function($,undefined)
{
var toasting =
{
gettoaster : function ()
{
var toaster = $('#' + settings.toaster.id);
if(toaster.length < 1)
{
toaster = $(settings.toaster.template).attr('id',settings.toaster.id).css(settings.toaster.css).addClass(settings.toaster['class']);
if ((settings.stylesheet) && (!$("link[href=" +settings.stylesheet + "]").length))
{
$('head').appendTo('<link rel="stylesheet" href="' +settings.stylesheet + '">');
}
$(settings.toaster.container).append(toaster);
}
return toaster;
},
notify : function (title, message, priority)
{
var $toaster = this.gettoaster();
var $toast  = $(settings.toast.template.replace('%priority%',priority)).hide().css(settings.toast.css).addClass(settings.toast['class']);
$('.title', $toast).css(settings.toast.csst).html(title);
$('.message', $toast).css(settings.toast.cssm).html(message);
if ((settings.debug) && (window.console))
{
console.log(toast);
}
$toaster.append(settings.toast.display($toast));
if (settings.donotdismiss.indexOf(priority) === -1)
{
var timeout = (typeof settings.timeout === 'number') ? settings.timeout :((typeof settings.timeout === 'object') && (priority insettings.timeout)) ? settings.timeout[priority] : 1500;
setTimeout(function()
{
settings.toast.remove($toast, function()
{
$toast.remove();
});
}, timeout);
}
}
};
var defaults =
{
'toaster'         :
{
'id'        : 'toaster',
'container' : 'body',
'template'  : '<div></div>',
'class'     : 'toaster',
'css'       :
{
'position' : 'fixed',
'top'      : '10px',
'right'    : '10px',
'width'    : '300px',
'zIndex'   : 50000
}
},
'toast'       :
{
'template' :
'<div class="alert alert-%priority% alert-dismissible"role="alert">' +
'<button type="button" class="close"data-dismiss="alert">' +
'<span aria-hidden="true">&times;</span>' +
'<span class="sr-only">Close</span>' +
'</button>' +
'<span class="title"></span>: <spanclass="message"></span>' +
'</div>',
'css'      : {},
'cssm'     : {},
'csst'     : { 'fontWeight' : 'bold' },
'fade'     : 'slow',
'display'    : function ($toast)
{
return $toast.fadeIn(settings.toast.fade);
},
'remove'     : function ($toast, callback)
{
return $toast.animate(
{
opacity : '0',
padding : '0px',
margin  : '0px',
height  : '0px'
},
{
duration : settings.toast.fade,
complete : callback
}
);
}
...
缺少“X-Content-Type-Options”头 (4/6)
咨询和修订建议
信息泄露
“X-Content-Type-Options”头(具有“nosniff”值)可防止IE 和 Chrome 忽略响应的内容类型。该操作可能防止在用户浏览器中执行不受信任的内容(例如用户上载的内容)(例如在恶意命名之后)。
可能会收集有关 Web 应用程序的敏感信息,如用户名、密码、机器名和/或敏感文件位置
有用 HTTP头的列表
减小 MIME类型安全性风险
缺少“X-Content-Type-Options”头
缺少“X-Content-Type-Options”头
Web 应用程序编程或配置不安全
该问题可能会影响各种类型的产品
受影响的 URL
§  http://10.1.20.137:8085/js/bootstrap.min.js
§  http://10.1.20.137:8085/js/footer.js
§  http://10.1.20.137:8085/js/header.js
§  http://10.1.20.137:8085/js/jquery.toaster.js
§  http://10.1.20.137:8085/js/respond.min.js
问题 1/5( http://10.1.20.137:8085/js/footer.js - footer.js )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
AppScan 检测到 X-Content-Type-Options 响应头缺失,这可能会更大程度得暴露于偷渡式下载攻击之下
变体验证
变体请求响应
GET /js/footer.js HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer:http://10.1.20.137:8085/tologin
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
Last-Modified:Thu, 01 Aug 2019 06:24:43 GMT
Accept-Ranges:bytes
Content-Length:1163
Date:Fri, 11 Oct 2019 01:27:10 GMT
Content-Type:application/javascript
/**
*Created by cpc on 12/27/15.
*/
functionnoticeInfo(content) {
$.toaster({ title : content, priority : 'info', message : ')' });
}
functionnoticeWarning(content) {
$.toaster({ title : content, priority : 'warning', message : '(' });
}
functionsendEmail() {
$.ajax({
type: 'post',
url: rootUrl+'/feedback/sendEmail',
success: function() {}
});
}
$(document).ready(function(){
$('#send-feedback').click(function() {
var content = $('#feedback-content').val().trim();
if (content == '') {
noticeWarning('反馈不能为空');
return;
}
var data = {
content: content
};
$.ajax({
type: 'post',
url: rootUrl+'/feedback',
data: data,
success: function(status) {
if (status > 0) {
sendEmail();
noticeInfo('反馈成功');
$('#modal-feedback').modal('hide');
} else if (status == 0) {
$.toaster({ title : '还没登录喔~', priority : 'danger', message : '(' });
} else {
$.toaster({ title : '出错啦,请稍候再试~', priority : 'danger', message : '(' });
}
}
});
});
});
问题 2/5( http://10.1.20.137:8085/js/respond.min.js - respond.min.js )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
AppScan 检测到 X-Content-Type-Options 响应头缺失,这可能会更大程度得暴露于偷渡式下载攻击之下
变体验证
变体请求响应
GET /js/respond.min.js HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer:http://10.1.20.137:8085/tologin
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
Last-Modified:Thu, 01 Aug 2019 06:24:43 GMT
Accept-Ranges:bytes
Content-Length:4377
Date:Fri, 11 Oct 2019 01:27:08 GMT
Content-Type:application/javascript
/*!Respond.js v1.4.2: min/max-width media query polyfill * Copyright 2013 ScottJehl
*Licensed under https://github.com/scottjehl/Respond/blob/master/LICENSE-MIT
* */
!function(a){"usestrict";a.matchMedia=a.matchMedia||function(a){varb,c=a.documentElement,d=c.firstElementChild||c.firstChild,e=a.createElement("body"),f=a.createElement("div");returnf.id="mq-test-1",f.style.cssText="position:absolute;top:-100em",e.style.background="none",e.appendChild(f),function(a){returnf.innerHTML='&shy;<style media="'+a+'"> #mq-test-1 { width:42px;}</style>',c.insertBefore(e,d),b=42===f.offsetWidth,c.removeChild(e),{matches:b,media:a}}}(a.document)}(this),function(a){"usestrict";function b(){u(!0)}var c={};a.respond=c,c.update=function(){};vard=[],e=function(){var b=!1;try{b=new a.XMLHttpRequest}catch(c){b=newa.ActiveXObject("Microsoft.XMLHTTP")}return function(){returnb}}(),f=function(a,b){varc=e();c&&(c.open("GET",a,!0),c.onreadystatechange=function(){4!==c.readyState||200!==c.status&&304!==c.status||b(c.responseText)},4!==c.readyState&&c.send(null))};if(c.ajax=f,c.queue=d,c.regex={media:/@media[^\{]+\{([^\{\}]*\{[^\}\{]*\})+/gi,keyframes:/@(?:\-(?:o|moz|webkit)\-)?keyframes[^\{]+\{(?:[^\{\}]*\{[^\}\{]*\})+[^\}]*\}/gi,urls:/(url\()['"]?([^\/\)'"][^:\)'"]+)['"]?(\))/g,findStyles:/@media*([^\{]+)\{([\S\s]+?)$/,only:/(only\s+)?([a-zA-Z]+)\s?/,minw:/\([\s]*min\-width\s*:[\s]*([\s]*[0-9\.]+)(px|em)[\s]*\)/,maxw:/\([\s]*max\-width\s*:[\s]*([\s]*[0-9\.]+)(px|em)[\s]*\)/},c.mediaQueriesSupported=a.matchMedia&&null!==a.matchMedia("onlyall")&&a.matchMedia("onlyall").matches,!c.mediaQueriesSupported){varg,h,i,j=a.document,k=j.documentElement,l=[],m=[],n=[],o={},p=30,q=j.getElementsByTagName("head")[0]||k,r=j.getElementsByTagName("base")[0],s=q.getElementsByTagName("link"),t=function(){vara,b=j.createElement("div"),c=j.body,d=k.style.fontSize,e=c&&c.style.fontSize,f=!1;returnb.style.cssText="position:absolute;font-size:1em;width:1em",c||(c=f=j.createElement("body"),c.style.background="none"),k.style.fontSize="100%",c.style.fontSize="100%",c.appendChild(b),f&&k.insertBefore(c,k.firstChild),a=b.offsetWidth,f?k.removeChild(c):c.removeChild(b),k.style.fontSize=d,e&&(c.style.fontSize=e),a=i=parseFloat(a)},u=function(b){varc="clientWidth",d=k[c],e="CSS1Compat"===j.compatMode&&d||j.body[c]||d,f={},o=s[s.length-1],r=(newDate).getTime();if(b&&g&&p>r-g)returna.clearTimeout(h),h=a.setTimeout(u,p),void 0;g=r;for(var v inl)if(l.hasOwnProperty(v)){var w=l[v],x=w.minw,y=w.maxw,z=null===x,A=null===y,B="em";x&&(x=parseFloat(x)*(x.indexOf(B)>-1?i||t():1)),y&&(y=parseFloat(y)*(y.indexOf(B)>-1?i||t():1)),w.hasquery&&(z&&A||!(z||e>=x)||!(A||y>=e))||(f[w.media]||(f[w.media]=[]),f[w.media].push(m[w.rules]))}for(varC in n)n.hasOwnProperty(C)&&n[C]&&n[C].parentNode===q&&q.removeChild(n[C]);n.length=0;for(varD in f)if(f.hasOwnProperty(D)){varE=j.createElement("style"),F=f[D].join("\n");E.type="text/css",E.media=D,q.insertBefore(E,o.nextSibling),E.styleSheet?E.styleSheet.cssText=F:E.appendChild(j.createTextNode(F)),n.push(E)}},v=function(a,b,d){vare=a.replace(c.regex.keyframes,"").match(c.regex.media),f=e&&e.length||0;b=b.substring(0,b.lastIndexOf("/"));varg=function(a){return a.replace(c.regex.urls,"$1"+b+"$2$3")},h=!f&&d;b.length&&(b+="/"),h&&(f=1);for(vari=0;f>i;i++){varj,k,n,o;h?(j=d,m.push(g(a))):(j=e[i].match(c.regex.findStyles)&&RegExp.$1,m.push(RegExp.$2&&g(RegExp.$2))),n=j.split(","),o=n.length;for(varp=0;o>p;p++)k=n[p],l.push({media:k.split("(")[0].match(c.regex.only)&&RegExp.$2||"all",rules:m.length-1,hasquery:k.indexOf("(")>-1,minw:k.match(c.regex.minw)&&parseFloat(RegExp.$1)+(RegExp.$2||""),maxw:k.match(c.regex.maxw)&&parseFloat(RegExp.$1)+(RegExp.$2||"")})}u()},w=function(){if(d.length){varb=d.shift();f(b.href,function(c){v(c,b.href,b.media),o[b.href]=!0,a.setTimeout(function(){w()},0)})}},x=function(){for(varb=0;b<s.length;b++){varc=s[b],e=c.href,f=c.media,g=c.rel&&"stylesheet"===c.rel.toLowerCase();e&&g&&!o[e]&&(c.styleSheet&&c.styleSheet.rawCssText?(v(c.styleSheet.rawCssText,e,f),o[e]=!0):(!/^([a-zA-Z:]*\/\/)/.test(e)&&!r||e.replace(RegExp.$1,"").split("/")[0]===a.location.host)&&("//"===e.substring(0,2)&&(e=a.location.protocol+e),d.push({href:e,media:f})))}w()};x(),c.update=x,c.getEmValue=t,a.addEventListener?a.addEventListener("resize",b,!1):a.attachEvent&&a.attachEvent("onresize",b)}}(this);
问题 3/5( http://10.1.20.137:8085/js/header.js - header.js )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
AppScan 检测到 X-Content-Type-Options 响应头缺失,这可能会更大程度得暴露于偷渡式下载攻击之下
变体验证
变体请求响应
GET /js/header.js HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer:http://10.1.20.137:8085/tologin
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
Last-Modified:Thu, 01 Aug 2019 06:24:43 GMT
Accept-Ranges:bytes
Content-Length:1023
Date:Fri, 11 Oct 2019 01:27:10 GMT
Content-Type:application/javascript
/**
*Created by soujing on 12/27/15.
*/
$(document).ready(function(){
$.get(
rootUrl + "/Index/checkLogin",
{},
function(data){
if(data){
loginNav();
}
else{
$(".logout").parent().remove();
}
}
)
})
functionloginNav(){
$.get(
rootUrl + "/User/getLoginInit",
{},
function(data){
var mesNum = data['mes_num'];
var userName = data['name'];
var userIcon = data['icon'];
var isRead = data['read'];
if(mesNum != 0){
var mesSpan = ' <span class="badge"> '+ mesNum +'</span>';
$("#nav-messages").append(mesSpan);
}
if(!isRead){
var redPoint = '<divclass="red-point"></div>';
$("#nav-notice").children("a").append(redPoint);
$("#xs-nav-notice").children("a").append(redPoint);
}
}
)
}
问题 4/5( http://10.1.20.137:8085/js/jquery.toaster.js -jquery.toaster.js )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
AppScan 检测到 X-Content-Type-Options 响应头缺失,这可能会更大程度得暴露于偷渡式下载攻击之下
变体验证
变体请求响应
GET /js/jquery.toaster.js HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer:http://10.1.20.137:8085/tologin
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
Last-Modified:Thu, 01 Aug 2019 06:24:43 GMT
Accept-Ranges:bytes
Content-Length:5450
Date:Fri, 11 Oct 2019 01:27:10 GMT
Content-Type:application/javascript
/***********************************************************************************
*AddArray.indexOf                                                               *
***********************************************************************************/
(function()
{
if (typeof Array.prototype.indexOf !== 'function')
{
Array.prototype.indexOf = function(searchElement, fromIndex)
{
for (var i = (fromIndex || 0), j = this.length; i < j; i += 1)
{
if ((searchElement === undefined) || (searchElement === null))
{
if (this[i] === searchElement)
{
return i;
}
}
else if (this[i] === searchElement)
{
return i;
}
}
return -1;
};
}
})();
/**********************************************************************************/
(function($,undefined)
{
var toasting =
{
gettoaster : function ()
{
var toaster = $('#' + settings.toaster.id);
if(toaster.length < 1)
{
toaster = $(settings.toaster.template).attr('id',settings.toaster.id).css(settings.toaster.css).addClass(settings.toaster['class']);
if ((settings.stylesheet) && (!$("link[href=" +settings.stylesheet + "]").length))
{
$('head').appendTo('<link rel="stylesheet" href="' +settings.stylesheet + '">');
}
$(settings.toaster.container).append(toaster);
}
return toaster;
},
notify : function (title, message, priority)
{
var $toaster = this.gettoaster();
var $toast  = $(settings.toast.template.replace('%priority%', priority)).hide().css(settings.toast.css).addClass(settings.toast['class']);
$('.title', $toast).css(settings.toast.csst).html(title);
$('.message', $toast).css(settings.toast.cssm).html(message);
if ((settings.debug) && (window.console))
{
console.log(toast);
}
$toaster.append(settings.toast.display($toast));
if (settings.donotdismiss.indexOf(priority) === -1)
{
var timeout = (typeof settings.timeout === 'number') ? settings.timeout :((typeof settings.timeout === 'object') && (priority insettings.timeout)) ? settings.timeout[priority] : 1500;
setTimeout(function()
{
settings.toast.remove($toast, function()
{
$toast.remove();
});
}, timeout);
}
}
};
var defaults =
{
'toaster'         :
{
'id'        : 'toaster',
'container' : 'body',
'template'  : '<div></div>',
'class'     : 'toaster',
'css'       :
{
'position' : 'fixed',
'top'      : '10px',
'right'    : '10px',
'width'    : '300px',
'zIndex'   : 50000
}
},
'toast'       :
{
'template' :
'<div class="alert alert-%priority% alert-dismissible"role="alert">' +
'<button type="button" class="close"data-dismiss="alert">' +
'<span aria-hidden="true">&times;</span>' +
'<span class="sr-only">Close</span>' +
'</button>' +
'<span class="title"></span>: <spanclass="message"></span>' +
'</div>',
'css'      : {},
'cssm'     : {},
'csst'     : { 'fontWeight' : 'bold' },
'fade'     : 'slow',
'display'    : function ($toast)
{
return $toast.fadeIn(settings.toast.fade);
},
'remove'     : function ($toast, callback)
{
return $toast.animate(
{
opacity : '0',
padding: '0px',
margin  : '0px',
height  : '0px'
},
{
duration : settings.toast.fade,
complete : callback
}
);
}
...
问题 5/5( http://10.1.20.137:8085/js/bootstrap.min.js -bootstrap.min.js )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
AppScan 检测到 X-Content-Type-Options 响应头缺失,这可能会更大程度得暴露于偷渡式下载攻击之下
变体验证
变体请求响应
GET /js/bootstrap.min.js HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer:http://10.1.20.137:8085/tologin
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
Last-Modified:Thu, 01 Aug 2019 06:24:43 GMT
Accept-Ranges:bytes
Content-Length:36816
Date:Fri, 11 Oct 2019 01:27:10 GMT
Content-Type:application/javascript
/*!
*Bootstrap v3.3.5 (http://getbootstrap.com)
*Copyright 2011-2015 Twitter, Inc.
*Licensed under the MIT license
*/
if("undefined"==typeofjQuery)throw new Error("Bootstrap's JavaScript requiresjQuery");+function(a){"use strict";varb=a.fn.jquery.split(" ")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1)thrownew Error("Bootstrap's JavaScript requires jQuery version 1.9.1 orhigher")}(jQuery),+function(a){"use strict";function b(){vara=document.createElement("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEndotransitionend",transition:"transitionend"};for(var c inb)if(void0!==a.style[c])return{end:b[c]};return!1}a.fn.emulateTransitionEnd=function(b){varc=!1,d=this;a(this).one("bsTransitionEnd",function(){c=!0});vare=function(){c||a(d).trigger(a.support.transition.end)};returnsetTimeout(e,b),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.special.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.support.transition.end,handle:function(b){returna(b.target).is(this)?b.handleObj.handler.apply(this,arguments):void0}})})}(jQuery),+function(a){"use strict";function b(b){returnthis.each(function(){var c=a(this),e=c.data("bs.alert");e||c.data("bs.alert",e=newd(this)),"string"==typeof b&&e[b].call(c)})}varc='[data-dismiss="alert"]',d=function(b){a(b).on("click",c,this.close)};d.VERSION="3.3.5",d.TRANSITION_DURATION=150,d.prototype.close=function(b){functionc(){g.detach().trigger("closed.bs.alert").remove()}vare=a(this),f=e.attr("data-target");f||(f=e.attr("href"),f=f&&f.replace(/.*(?=#[^\s]*$)/,""));varg=a(f);b&&b.preventDefault(),g.length||(g=e.closest(".alert")),g.trigger(b=a.Event("close.bs.alert")),b.isDefaultPrevented()||(g.removeClass("in"),a.support.transition&&g.hasClass("fade")?g.one("bsTransitionEnd",c).emulateTransitionEnd(d.TRANSITION_DURATION):c())};vare=a.fn.alert;a.fn.alert=b,a.fn.alert.Constructor=d,a.fn.alert.noConflict=function(){returna.fn.alert=e,this},a(document).on("click.bs.alert.data-api",c,d.prototype.close)}(jQuery),+function(a){"usestrict";function b(b){return this.each(function(){vard=a(this),e=d.data("bs.button"),f="object"==typeofb&&b;e||d.data("bs.button",e=new c(this,f)),"toggle"==b?e.toggle():b&&e.setState(b)})}varc=function(b,d){this.$element=a(b),this.options=a.extend({},c.DEFAULTS,d),this.isLoading=!1};c.VERSION="3.3.5",c.DEFAULTS={loadingText:"loading..."},c.prototype.setState=function(b){varc="disabled",d=this.$element,e=d.is("input")?"val":"html",f=d.data();b+="Text",null==f.resetText&&d.data("resetText",d[e]()),setTimeout(a.proxy(function(){d[e](null==f[b]?this.options[b]:f[b]),"loadingText"==b?(this.isLoading=!0,d.addClass(c).attr(c,c)):this.isLoading&&(this.isLoading=!1,d.removeClass(c).removeAttr(c))},this),0)},c.prototype.toggle=function(){vara=!0,b=this.$element.closest('[data-toggle="buttons"]');if(b.length){varc=this.$element.find("input");"radio"==c.prop("type")?(c.prop("checked")&&(a=!1),b.find(".active").removeClass("active"),this.$element.addClass("active")):"checkbox"==c.prop("type")&&(c.prop("checked")!==this.$element.hasClass("active")&&(a=!1),this.$element.toggleClass("active")),c.prop("checked",this.$element.hasClass("active")),a&&c.trigger("change")}elsethis.$element.attr("aria-pressed",!this.$element.hasClass("active")),this.$element.toggleClass("active")};vard=a.fn.button;a.fn.button=b,a.fn.button.Constructor=c,a.fn.button.noConflict=function(){returna.fn.button=d,this},a(document).on("click.bs.button.data-api",'[data-toggle^="button"]',function(c){vard=a(c.target);d.hasClass("btn")||(d=d.closest(".btn")),b.call(d,"toggle"),a(c.target).is('input[type="radio"]')||a(c.target).is('input[type="checkbox"]')||c.preventDefault()}).on("focus.bs.button.data-apiblur.bs.button.data-api",'[data-toggle^="button"]',function(b){a(b.target).closest(".btn").toggleClass("focus",/^focus(in)?$/.test(b.type))})}(jQuery),+function(a){"usestrict";function b(b){return this.each(function(){vard=a(this),e=d.data("bs.carousel"),f=a.extend({},c.DEFAULTS,d.data(),"object"==typeofb&&b),g="string"==typeofb?b:f.slide;e||d.data("bs.carousel",e=newc(this,f)),"number"==typeofb?e.to(b):g?e[g]():f.interval&&e.pause().cycle()})}varc=function(b,c){this.$element=a(b),this.$indicators=this.$element.find(".carousel-indicators"),this.options=c,this.paused=null,this.sliding=null,this.interval=null,this.$active=null,this.$items=null,this.options.keyboard&&this.$element.on("keydown.bs.caro...
缺少“X-XSS-Protection”头 (5/6)
咨询和修订建议
信息泄露
“X-XSS-Protection”头强制将跨站点脚本编制过滤器加入“启用”方式,即使用户已禁用时也是如此。该过滤器被构建到最新的 web 浏览器中(IE 8+,Chrome 4+),通常在缺省情况下已启用。虽然它并非设计为第一个选择而且仅能防御跨站点脚本编制,但它充当额外的保护层。
可能会收集有关 Web 应用程序的敏感信息,如用户名、密码、机器名和/或敏感文件位置
有用 HTTP头的列表
IE XSS 过滤器
缺少“X-XSS-Protection”头
缺少“X-XSS-Protection”头
Web 应用程序编程或配置不安全
该问题可能会影响各种类型的产品
受影响的 URL
§  http://10.1.20.137:8085/js/bootstrap.min.js
§  http://10.1.20.137:8085/js/footer.js
§  http://10.1.20.137:8085/js/header.js
§  http://10.1.20.137:8085/js/jquery.toaster.js
§  http://10.1.20.137:8085/js/respond.min.js
问题 1/5( http://10.1.20.137:8085/js/footer.js - footer.js )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
AppScan 检测到 X-XSS-Protection 响应头缺失,这可能会造成跨站点脚本编制攻击
变体验证
变体请求响应
GET /js/footer.js HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer:http://10.1.20.137:8085/tologin
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
Last-Modified:Thu, 01 Aug 2019 06:24:43 GMT
Accept-Ranges:bytes
Content-Length:1163
Date:Fri, 11 Oct 2019 01:27:10 GMT
Content-Type:application/javascript
/**
*Created by cpc on 12/27/15.
*/
functionnoticeInfo(content) {
$.toaster({ title : content, priority : 'info', message : ')' });
}
functionnoticeWarning(content) {
$.toaster({ title : content, priority : 'warning', message : '(' });
}
functionsendEmail() {
$.ajax({
type: 'post',
url: rootUrl+'/feedback/sendEmail',
success: function() {}
});
}
$(document).ready(function(){
$('#send-feedback').click(function() {
var content = $('#feedback-content').val().trim();
if (content == '') {
noticeWarning('反馈不能为空');
return;
}
var data = {
content: content
};
$.ajax({
type: 'post',
url: rootUrl+'/feedback',
data: data,
success: function(status) {
if (status > 0) {
sendEmail();
noticeInfo('反馈成功');
$('#modal-feedback').modal('hide');
} else if (status == 0) {
$.toaster({ title : '还没登录喔~', priority : 'danger', message : '(' });
} else {
$.toaster({ title : '出错啦,请稍候再试~', priority : 'danger', message : '(' });
}
}
});
});
});
问题 2/5( http://10.1.20.137:8085/js/header.js - header.js )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
AppScan 检测到 X-XSS-Protection 响应头缺失,这可能会造成跨站点脚本编制攻击
变体验证
变体请求响应
GET /js/header.js HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer:http://10.1.20.137:8085/tologin
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
Last-Modified:Thu, 01 Aug 2019 06:24:43 GMT
Accept-Ranges:bytes
Content-Length:1023
Date:Fri, 11 Oct 2019 01:27:10 GMT
Content-Type:application/javascript
/**
*Created by soujing on 12/27/15.
*/
$(document).ready(function(){
$.get(
rootUrl + "/Index/checkLogin",
{},
function(data){
if(data){
loginNav();
}
else{
$(".logout").parent().remove();
}
}
)
})
functionloginNav(){
$.get(
rootUrl + "/User/getLoginInit",
{},
function(data){
var mesNum = data['mes_num'];
var userName = data['name'];
var userIcon = data['icon'];
var isRead = data['read'];
if(mesNum != 0){
var mesSpan = ' <span class="badge"> '+ mesNum +'</span>';
$("#nav-messages").append(mesSpan);
}
if(!isRead){
var redPoint = '<div class="red-point"></div>';
$("#nav-notice").children("a").append(redPoint);
$("#xs-nav-notice").children("a").append(redPoint);
}
}
)
}
问题 3/5( http://10.1.20.137:8085/js/respond.min.js - respond.min.js )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
AppScan 检测到 X-XSS-Protection 响应头缺失,这可能会造成跨站点脚本编制攻击
变体验证
变体请求响应
GET /js/respond.min.js HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer:http://10.1.20.137:8085/tologin
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
Last-Modified:Thu, 01 Aug 2019 06:24:43 GMT
Accept-Ranges:bytes
Content-Length:4377
Date:Fri, 11 Oct 2019 01:27:08 GMT
Content-Type:application/javascript
/*!Respond.js v1.4.2: min/max-width media query polyfill * Copyright 2013 ScottJehl
*Licensed under https://github.com/scottjehl/Respond/blob/master/LICENSE-MIT
* */
!function(a){"usestrict";a.matchMedia=a.matchMedia||function(a){varb,c=a.documentElement,d=c.firstElementChild||c.firstChild,e=a.createElement("body"),f=a.createElement("div");returnf.id="mq-test-1",f.style.cssText="position:absolute;top:-100em",e.style.background="none",e.appendChild(f),function(a){returnf.innerHTML='&shy;<style media="'+a+'"> #mq-test-1 { width:42px;}</style>',c.insertBefore(e,d),b=42===f.offsetWidth,c.removeChild(e),{matches:b,media:a}}}(a.document)}(this),function(a){"usestrict";function b(){u(!0)}var c={};a.respond=c,c.update=function(){};vard=[],e=function(){var b=!1;try{b=new a.XMLHttpRequest}catch(c){b=newa.ActiveXObject("Microsoft.XMLHTTP")}return function(){returnb}}(),f=function(a,b){varc=e();c&&(c.open("GET",a,!0),c.onreadystatechange=function(){4!==c.readyState||200!==c.status&&304!==c.status||b(c.responseText)},4!==c.readyState&&c.send(null))};if(c.ajax=f,c.queue=d,c.regex={media:/@media[^\{]+\{([^\{\}]*\{[^\}\{]*\})+/gi,keyframes:/@(?:\-(?:o|moz|webkit)\-)?keyframes[^\{]+\{(?:[^\{\}]*\{[^\}\{]*\})+[^\}]*\}/gi,urls:/(url\()['"]?([^\/\)'"][^:\)'"]+)['"]?(\))/g,findStyles:/@media*([^\{]+)\{([\S\s]+?)$/,only:/(only\s+)?([a-zA-Z]+)\s?/,minw:/\([\s]*min\-width\s*:[\s]*([\s]*[0-9\.]+)(px|em)[\s]*\)/,maxw:/\([\s]*max\-width\s*:[\s]*([\s]*[0-9\.]+)(px|em)[\s]*\)/},c.mediaQueriesSupported=a.matchMedia&&null!==a.matchMedia("onlyall")&&a.matchMedia("onlyall").matches,!c.mediaQueriesSupported){varg,h,i,j=a.document,k=j.documentElement,l=[],m=[],n=[],o={},p=30,q=j.getElementsByTagName("head")[0]||k,r=j.getElementsByTagName("base")[0],s=q.getElementsByTagName("link"),t=function(){vara,b=j.createElement("div"),c=j.body,d=k.style.fontSize,e=c&&c.style.fontSize,f=!1;returnb.style.cssText="position:absolute;font-size:1em;width:1em",c||(c=f=j.createElement("body"),c.style.background="none"),k.style.fontSize="100%",c.style.fontSize="100%",c.appendChild(b),f&&k.insertBefore(c,k.firstChild),a=b.offsetWidth,f?k.removeChild(c):c.removeChild(b),k.style.fontSize=d,e&&(c.style.fontSize=e),a=i=parseFloat(a)},u=function(b){varc="clientWidth",d=k[c],e="CSS1Compat"===j.compatMode&&d||j.body[c]||d,f={},o=s[s.length-1],r=(newDate).getTime();if(b&&g&&p>r-g)returna.clearTimeout(h),h=a.setTimeout(u,p),void 0;g=r;for(var v inl)if(l.hasOwnProperty(v)){varw=l[v],x=w.minw,y=w.maxw,z=null===x,A=null===y,B="em";x&&(x=parseFloat(x)*(x.indexOf(B)>-1?i||t():1)),y&&(y=parseFloat(y)*(y.indexOf(B)>-1?i||t():1)),w.hasquery&&(z&&A||!(z||e>=x)||!(A||y>=e))||(f[w.media]||(f[w.media]=[]),f[w.media].push(m[w.rules]))}for(varC inn)n.hasOwnProperty(C)&&n[C]&&n[C].parentNode===q&&q.removeChild(n[C]);n.length=0;for(varD in f)if(f.hasOwnProperty(D)){varE=j.createElement("style"),F=f[D].join("\n");E.type="text/css",E.media=D,q.insertBefore(E,o.nextSibling),E.styleSheet?E.styleSheet.cssText=F:E.appendChild(j.createTextNode(F)),n.push(E)}},v=function(a,b,d){vare=a.replace(c.regex.keyframes,"").match(c.regex.media),f=e&&e.length||0;b=b.substring(0,b.lastIndexOf("/"));varg=function(a){returna.replace(c.regex.urls,"$1"+b+"$2$3")},h=!f&&d;b.length&&(b+="/"),h&&(f=1);for(vari=0;f>i;i++){var j,k,n,o;h?(j=d,m.push(g(a))):(j=e[i].match(c.regex.findStyles)&&RegExp.$1,m.push(RegExp.$2&&g(RegExp.$2))),n=j.split(","),o=n.length;for(varp=0;o>p;p++)k=n[p],l.push({media:k.split("(")[0].match(c.regex.only)&&RegExp.$2||"all",rules:m.length-1,hasquery:k.indexOf("(")>-1,minw:k.match(c.regex.minw)&&parseFloat(RegExp.$1)+(RegExp.$2||""),maxw:k.match(c.regex.maxw)&&parseFloat(RegExp.$1)+(RegExp.$2||"")})}u()},w=function(){if(d.length){varb=d.shift();f(b.href,function(c){v(c,b.href,b.media),o[b.href]=!0,a.setTimeout(function(){w()},0)})}},x=function(){for(varb=0;b<s.length;b++){varc=s[b],e=c.href,f=c.media,g=c.rel&&"stylesheet"===c.rel.toLowerCase();e&&g&&!o[e]&&(c.styleSheet&&c.styleSheet.rawCssText?(v(c.styleSheet.rawCssText,e,f),o[e]=!0):(!/^([a-zA-Z:]*\/\/)/.test(e)&&!r||e.replace(RegExp.$1,"").split("/")[0]===a.location.host)&&("//"===e.substring(0,2)&&(e=a.location.protocol+e),d.push({href:e,media:f})))}w()};x(),c.update=x,c.getEmValue=t,a.addEventListener?a.addEventListener("resize",b,!1):a.attachEvent&&a.attachEvent("onresize",b)}}(this);
问题 4/5( http://10.1.20.137:8085/js/jquery.toaster.js -jquery.toaster.js )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
AppScan 检测到 X-XSS-Protection 响应头缺失,这可能会造成跨站点脚本编制攻击
变体验证
变体请求响应
GET /js/jquery.toaster.js HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer:http://10.1.20.137:8085/tologin
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
Last-Modified:Thu, 01 Aug 2019 06:24:43 GMT
Accept-Ranges:bytes
Content-Length:5450
Date:Fri, 11 Oct 2019 01:27:10 GMT
Content-Type:application/javascript
/***********************************************************************************
*Add Array.indexOf                                                               *
***********************************************************************************/
(function()
{
if (typeof Array.prototype.indexOf !== 'function')
{
Array.prototype.indexOf = function(searchElement, fromIndex)
{
for (var i = (fromIndex || 0), j = this.length; i < j; i += 1)
{
if ((searchElement === undefined) || (searchElement === null))
{
if (this[i] === searchElement)
{
return i;
}
}
else if (this[i] === searchElement)
{
return i;
}
}
return -1;
};
}
})();
/**********************************************************************************/
(function($,undefined)
{
var toasting =
{
gettoaster : function ()
{
var toaster = $('#' + settings.toaster.id);
if(toaster.length < 1)
{
toaster = $(settings.toaster.template).attr('id',settings.toaster.id).css(settings.toaster.css).addClass(settings.toaster['class']);
if ((settings.stylesheet) && (!$("link[href=" +settings.stylesheet + "]").length))
{
$('head').appendTo('<link rel="stylesheet" href="' +settings.stylesheet + '">');
}
$(settings.toaster.container).append(toaster);
}
return toaster;
},
notify : function (title, message, priority)
{
var $toaster = this.gettoaster();
var $toast  = $(settings.toast.template.replace('%priority%',priority)).hide().css(settings.toast.css).addClass(settings.toast['class']);
$('.title', $toast).css(settings.toast.csst).html(title);
$('.message', $toast).css(settings.toast.cssm).html(message);
if ((settings.debug) && (window.console))
{
console.log(toast);
}
$toaster.append(settings.toast.display($toast));
if (settings.donotdismiss.indexOf(priority) === -1)
{
var timeout = (typeof settings.timeout === 'number') ? settings.timeout :((typeof settings.timeout === 'object') && (priority insettings.timeout)) ? settings.timeout[priority] : 1500;
setTimeout(function()
{
settings.toast.remove($toast, function()
{
$toast.remove();
});
}, timeout);
}
}
};
var defaults =
{
'toaster'         :
{
'id'        :'toaster',
'container' : 'body',
'template'  : '<div></div>',
'class'     : 'toaster',
'css'       :
{
'position' : 'fixed',
'top'      : '10px',
'right'    : '10px',
'width'    : '300px',
'zIndex'   : 50000
}
},
'toast'       :
{
'template' :
'<div class="alert alert-%priority% alert-dismissible"role="alert">' +
'<button type="button" class="close"data-dismiss="alert">' +
'<span aria-hidden="true">&times;</span>' +
'<span class="sr-only">Close</span>' +
'</button>' +
'<span class="title"></span>: <spanclass="message"></span>' +
'</div>',
'css'      : {},
'cssm'     : {},
'csst'     : { 'fontWeight' : 'bold' },
'fade'     : 'slow',
'display'    : function ($toast)
{
return $toast.fadeIn(settings.toast.fade);
},
'remove'     : function ($toast, callback)
{
return $toast.animate(
{
opacity : '0',
padding : '0px',
margin  : '0px',
height  : '0px'
},
{
duration : settings.toast.fade,
complete : callback
}
);
}
...
问题 5/5( http://10.1.20.137:8085/js/bootstrap.min.js -bootstrap.min.js )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
AppScan 检测到 X-XSS-Protection 响应头缺失,这可能会造成跨站点脚本编制攻击
变体验证
变体请求响应
GET /js/bootstrap.min.js HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer:http://10.1.20.137:8085/tologin
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
Last-Modified:Thu, 01 Aug 2019 06:24:43 GMT
Accept-Ranges:bytes
Content-Length:36816
Date:Fri, 11 Oct 2019 01:27:10 GMT
Content-Type:application/javascript
/*!
*Bootstrap v3.3.5 (http://getbootstrap.com)
*Copyright 2011-2015 Twitter, Inc.
*Licensed under the MIT license
*/
if("undefined"==typeofjQuery)throw new Error("Bootstrap's JavaScript requiresjQuery");+function(a){"use strict";varb=a.fn.jquery.split(" ")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1)thrownew Error("Bootstrap's JavaScript requires jQuery version 1.9.1 orhigher")}(jQuery),+function(a){"use strict";function b(){var a=document.createElement("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEndotransitionend",transition:"transitionend"};for(var c inb)if(void0!==a.style[c])return{end:b[c]};return!1}a.fn.emulateTransitionEnd=function(b){varc=!1,d=this;a(this).one("bsTransitionEnd",function(){c=!0});vare=function(){c||a(d).trigger(a.support.transition.end)};returnsetTimeout(e,b),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.special.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.support.transition.end,handle:function(b){returna(b.target).is(this)?b.handleObj.handler.apply(this,arguments):void0}})})}(jQuery),+function(a){"use strict";function b(b){returnthis.each(function(){var c=a(this),e=c.data("bs.alert");e||c.data("bs.alert",e=newd(this)),"string"==typeof b&&e[b].call(c)})}varc='[data-dismiss="alert"]',d=function(b){a(b).on("click",c,this.close)};d.VERSION="3.3.5",d.TRANSITION_DURATION=150,d.prototype.close=function(b){functionc(){g.detach().trigger("closed.bs.alert").remove()}vare=a(this),f=e.attr("data-target");f||(f=e.attr("href"),f=f&&f.replace(/.*(?=#[^\s]*$)/,""));varg=a(f);b&&b.preventDefault(),g.length||(g=e.closest(".alert")),g.trigger(b=a.Event("close.bs.alert")),b.isDefaultPrevented()||(g.removeClass("in"),a.support.transition&&g.hasClass("fade")?g.one("bsTransitionEnd",c).emulateTransitionEnd(d.TRANSITION_DURATION):c())};vare=a.fn.alert;a.fn.alert=b,a.fn.alert.Constructor=d,a.fn.alert.noConflict=function(){returna.fn.alert=e,this},a(document).on("click.bs.alert.data-api",c,d.prototype.close)}(jQuery),+function(a){"usestrict";function b(b){return this.each(function(){vard=a(this),e=d.data("bs.button"),f="object"==typeofb&&b;e||d.data("bs.button",e=new c(this,f)),"toggle"==b?e.toggle():b&&e.setState(b)})}varc=function(b,d){this.$element=a(b),this.options=a.extend({},c.DEFAULTS,d),this.isLoading=!1};c.VERSION="3.3.5",c.DEFAULTS={loadingText:"loading..."},c.prototype.setState=function(b){varc="disabled",d=this.$element,e=d.is("input")?"val":"html",f=d.data();b+="Text",null==f.resetText&&d.data("resetText",d[e]()),setTimeout(a.proxy(function(){d[e](null==f[b]?this.options[b]:f[b]),"loadingText"==b?(this.isLoading=!0,d.addClass(c).attr(c,c)):this.isLoading&&(this.isLoading=!1,d.removeClass(c).removeAttr(c))},this),0)},c.prototype.toggle=function(){vara=!0,b=this.$element.closest('[data-toggle="buttons"]');if(b.length){varc=this.$element.find("input");"radio"==c.prop("type")?(c.prop("checked")&&(a=!1),b.find(".active").removeClass("active"),this.$element.addClass("active")):"checkbox"==c.prop("type")&&(c.prop("checked")!==this.$element.hasClass("active")&&(a=!1),this.$element.toggleClass("active")),c.prop("checked",this.$element.hasClass("active")),a&&c.trigger("change")}elsethis.$element.attr("aria-pressed",!this.$element.hasClass("active")),this.$element.toggleClass("active")};vard=a.fn.button;a.fn.button=b,a.fn.button.Constructor=c,a.fn.button.noConflict=function(){returna.fn.button=d,this},a(document).on("click.bs.button.data-api",'[data-toggle^="button"]',function(c){vard=a(c.target);d.hasClass("btn")||(d=d.closest(".btn")),b.call(d,"toggle"),a(c.target).is('input[type="radio"]')||a(c.target).is('input[type="checkbox"]')||c.preventDefault()}).on("focus.bs.button.data-apiblur.bs.button.data-api",'[data-toggle^="button"]',function(b){a(b.target).closest(".btn").toggleClass("focus",/^focus(in)?$/.test(b.type))})}(jQuery),+function(a){"usestrict";function b(b){return this.each(function(){vard=a(this),e=d.data("bs.carousel"),f=a.extend({},c.DEFAULTS,d.data(),"object"==typeofb&&b),g="string"==typeofb?b:f.slide;e||d.data("bs.carousel",e=newc(this,f)),"number"==typeofb?e.to(b):g?e[g]():f.interval&&e.pause().cycle()})}varc=function(b,c){this.$element=a(b),this.$indicators=this.$element.find(".carousel-indicators"),this.options=c,this.paused=null,this.sliding=null,this.interval=null,this.$active=null,this.$items=null,this.options.keyboard&&this.$element.on("keydown.bs.caro...
自动填写未对密码字段禁用的 HTML 属性 (6/6)
咨询和修订建议
信息泄露
“autocomplete”属性已在 HTML5 标准中进行规范。W3C 的站点声明该属性有两种状态:“on”和“off”,完全忽略时等同于设置为“on”。
该页面易受攻击,因为“input”元素的“password”字段中的“autocomplete”属性没有设置为“off”。
这可能会使未授权用户(具有授权客户机的本地访问权)能够自动填写用户名和密码字段,并因此登录站点。
可能会绕开 Web 应用程序的认证机制
自动填写未对密码字段禁用的 HTML 属性
自动填写未对密码字段禁用的 HTML 属性
Web 应用程序编程或配置不安全
不适用
受影响的 URL
§  http://10.1.20.137:8085/tologin
问题 1/1( http://10.1.20.137:8085/tologin - tologin )
严重性: Low
CVSS 计分: 5
图像
所有变体
变体差异
变体原因
AppScan 发现密码字段没有强制禁用自动填写功能。
变体验证
·             <label for="login-password" class="sr-only">密码</label>
<input type="password" id="login-password"class="form-control" placeholder="密码" required>
<div class="checkbox">
<label class
·                <label for="regpassword" class="sr-only">密码</label>
<input type="password" id="registerPassword"class="form-control" placeholder="密码" required>
<labelfor="phone" class="sr-only">手机号</label>
· px; margin-top:5px;" id="verify_refresh"onclick="setButtonStatus(this)">获取验证码</button>
<input type="password" id="register-password"class="form-control" placeholder="验证码" required >
<button class="btn btn-lg btn-primary btn-block register"id="butre
变体请求响应
GET /tologin HTTP/1.1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host:10.1.20.137:8085
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-US
HTTP/1.1200
x-ua-compatible:IE=edge
Transfer-Encoding:chunked
cache-control:no-transform
Content-Language:en-US
Date:Fri, 11 Oct 2019 01:32:47 GMT
Content-Type:text/html;charset=UTF-8
<!DOCTYPEhtml>
<htmllang="zh-CN">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta http-equiv="Cache-Control"content="no-transform">
<title>login</title>
<link rel="shortcut icon"href="/Public/img/favicon.ico"/>
<link href="/css/bootstrap.css" rel="stylesheet">
<link href="/css/main.css" rel="stylesheet"type="text/css" />
<link href="/css/index.css" rel="stylesheet"type="text/css" />
<link href="/css/detail.css" rel="stylesheet"type="text/css" />
<link href="/css/user.css" rel="stylesheet"type="text/css" />
<link href="/css/announcement.css" rel="stylesheet"type="text/css" />
<link href="/css/bootstrap-datetimepicker.min.css"rel="stylesheet" type="text/css" />
<link rel="stylesheet" href="/css/login.css" />
<script src="/js/html5shiv.min.js"></script>
<script src="/js/respond.min.js"></script>
<script src="/js/jquery.min.js"></script>
<script>
var rootUrl = '';
</script>
<script type="text/javascript">
$(function(){
$("#but").click(function(){
$.ajax({
url:"/checkLogin",
type:"post",
dataType:"json",
data:{
"admin":$("#username").val(),
"password":$("#login-password").val(),
},
success:function(data){
if(data.mess){
location.href="/tomain";
}
else{
$("#f1").html("用户名或密码输入错误");
}
},
error:function(data){
alert("请填写正确信息!!!");
}
});
});
/*注册 */
/*先验证用户名是否存在*/
varflag;
$("#regadmin").blur(function(){
$.ajax({
url:"/checkRegister",
type:"post",
dataType:"json",
data:{
"admin":$("#regadmin").val(),
},
success:function(data){
if(data.mess){
flag=data.mess;
$("#f2").html("用户名已存在,请重新输入");
}
},
error:function(data){
alert("请填写正确信息!!!");
}
})
/*获取焦点的时候 */
$("#regadmin").focus(function(){
$("#f2").html("");
})
/*点击获取验证码的时候 */
varhash;
vartamp;
varwait=60;
$("#verify_refresh").click(function(){
$.ajax({
dataType:"json",
type:"post",
url:"/sendMsg",
data:{"telephone":$("#telephone").val()},
xhrFields: {
withCredentials: true
},
success: function (data) {
hash = data.hash;
tamp = data.tamp;
},
error: function (data) {
alert("请填写正确信息!!!");
}
});
})
/*设置时间 */
functionsetButtonStatus(that) {
if (wait == 0) {
that.removeAttribute("disabled");
that.value="免费获取验证码";
wait = 60;
} else {
that.setAttribute("disabled", true);
that.value=wait+"秒后可以重新发送";
wait--;
setTimeout(function() {
setButtonStatus(that)
}, 1000)
}
}
/*点击注册 */
$("#butregster").click(function(){
$.ajax({
dataType:"json",
type:"post",
url:"/validate",
data:{
"msgNum":$("#register-password").val(),/*验证码 */
"hash":hash,
"tamp":tamp,
"telphone":$("#telephone").val(),
"admin":$("#regadmin").val(),/*用户名 */
"password":$("#registerPassword").val()/*密码 */
},
success: function (data) {
if(data.flag){
location.href="/tologin";
}else{
alert("验证码错误或超时");
}
},
error: function (data) {
alert("请填写正确信息!!!");
}
});
})
})
})
</script>
</head>
<body>
<divclass="home">
<header class="header">
<nav class="navbar navbar-default navbar-fixed-top">
<div class="container">
<div class="row">
<div class="hidden-xs hidden-sm col-md-3 col-lg-3">
<div class="navbar-header navbar-left">
<a class="navbar-brand-mc" href="/tomain">
<img src="/picture/milogo.png" alt="logo"/>
<h4 class="company-name">钱多多金融</h4>
</a>
</div>
</div>
</div>
</div>
</nav>
</header>
<div class="content">
<div class="wrapper">
<divclass="container">
<div class="row">
<div class="wrapper-intro col-xs-0 col-sm-6 col-md-8 col-lg-8">
<img src="/picture/milogo.png"/>
<br/>
...
严重性为参考信息的“问题类型”
测试策略
名称: Default
描述: 该策略包含所有测试,但侵入式和端口侦听器测试除外。
测试( 104 ):
名称
严重性
请求分割
Low
Adobe 产品 XML 外部实体注入
High
Apache Struts 2 OGNL Action/Redirect 探索
High
应用程序调试方式实施
Low
隐藏参数中的电子邮件地址
Informational
电子邮件参数电子欺骗
Informational
文件上载
High
电子盗窃
Low
无签名的 __VIEWSTATE 参数
Low
检测到 HTTP 请求转发(Web 代理)
Informational
启用了 TRACE 和 TRACK HTTP 方法
Low
e107 contact.php PHP 代码执行
High
连接操纵
Medium
日志伪造
Low
MX 注入
Medium
Flash 参数 AllowScriptAccess 已设置为 always
Low
发现 IBM WebSphere 样本站点
High
Oracle Application Server SOAP 管理
High
Oracle Single Sign-On 登录页面凭证泄露
Medium
潜在文件上载
Informational
远程 RSS 订阅源包含
Informational
非 SOAP Web Service 访问
Low
易受攻击的 ActiveX 控件的用途
Medium
端口操纵
High
第二个订单注入
High
不安全的第三方链接 (target="_blank")
Low
反映的不安全链接 (target="_blank")
Medium
已存储的 target='_blank' 链接
Medium
不充分帐户封锁
Medium
可预测的登录凭证
High
IIS localstart.asp 可能的蛮力
High
登录错误消息凭证枚举
Medium
Microsoft IIS Phone Book Service 缓冲区溢出
High
通过 Flash (ActionScript 3) 进行的网络钓鱼
Medium
启用了不安全的“OPTIONS”HTTP 方法
Low
链接注入(便于跨站请求伪造)
Medium
WebDAV MKCOL 方法站点篡改
Medium
Flash (ActionScript 2) 中的不安全直接对象引用
Medium
电子邮件属性电子欺骗
Low
通过框架钓鱼
Medium
通过 Flash (ActionScript 2) 进行的网络钓鱼
Medium
phpPgAdmin redirect.php URL 重定向
Medium
使用 MD5 作为 SSL 证书签名算法
Medium
WebSphere Application Server 管理控制台链接注入(便于跨站点请求伪造)
Medium
通过管理员控制台进行的 WebSphere 多重链接注入
Medium
通过管理员控制台进行的 WebSphere 多重网络钓鱼
Medium
恶意下载
Medium
WordPress 4.7.0 和 4.7.1 内容注入
Medium
Apache Tomcat 弱缺省管理帐户凭证
High
Macromedia ColdFusion 弱会话 Cookie
High
Apache JServ 弱令牌算法
High
跨站点请求伪造
Medium
Silverlight 允许从域进行访问
Medium
AChecker index.php 跨站点脚本编制
High
AContent 多重跨站点脚本编制
High
AMFPHP details.php 跨站点脚本编制
High
Apache Axis2/Java 跨站点脚本编制
High
路径中的 Apache Geronimo 跨站点脚本编制
High
Apache mod_perl "Apache::Status" / "Apache2::Status" 跨站点脚本编制
High
Apache OFBiz 多重跨站点脚本编制
High
Apache Struts2 多重跨站点脚本编制
High
Apache Struts 多重跨站点脚本编制
High
文件名中的 Apache Struts 跨站点脚本编制
High
Apache Tomcat Manager“会话”跨站点脚本编制
High
跨站点网络钓鱼 (ActionScript 3)
High
通过 Flash (ActionScript 3) 进行的跨站点脚本编制
High
跨站点脚本编制
High
HTTP Referer 头跨站点脚本编制
High
User-Agent Header 跨站点脚本编制
High
AutoIndex index.php 跨站点脚本编制
High
bbsmax post.aspx 跨站点脚本编制
High
BlackBerry Enterprise Server 跨站点脚本编制
High
Blue Coat ICAP Patience Page 跨站点脚本编制
High
BMForum 多重跨站点脚本编制
High
Campsite index.php 跨站点脚本编制
High
Caucho Resin resin-admin 跨站点脚本编制
High
ClipBucket 多重跨站点脚本编制
High
Comptel Provisioning and Activation index.jsp 跨站点脚本编制
High
Contenido front_content.php 跨站点脚本编制
High
Coppermine Photo Gallery showdoc.php 跨站点脚本编制(V1.4.22)
High
cPanel autoinstall4imagesgalleryupgrade.php 跨站点脚本编制
High
cPanel dofileop.html 跨站点脚本编制
High
跨站点网络钓鱼 (ActionScript 2)
High
通过 Flash (ActionScript 2) 进行的跨站点脚本编制
High
CubeCart index.php 跨站点脚本编制
High
CuteNews index.php 跨站点脚本编制
High
CuteNews 多重跨站点脚本编制
High
Sun Cobalt RaQ 控制面板跨站点脚本编制
High
Sun ONE Web Server 搜索跨站点脚本编制
High
”IBM WebSphere“..”跨站点脚本编制
High
路径中的 Datalife Engine 跨站点脚本编制
High
DirectAdmin CMD_DB_VIEW 跨站点脚本编制
High
DirectAdmin CMD_DOMAIN 跨站点脚本编制
High
DocMGR history.php 跨站点脚本编制
High
Dojo 多重跨站点脚本编制
High
Dojo Toolkit 多重跨站点脚本编制
High
基于 DOM 的跨站点脚本编制
High
Dotclear 多重跨站点脚本编制
High
DotNetNuke InstallWizard.aspx 跨站点脚本编制
High
Edit-X CMS index.php 跨站点脚本编制
High
eFront 多重跨站点脚本编制
High
Elastix 多重跨站点脚本编制
High
Elxis 多重跨站点脚本编制
High
ePublisher WebWorks Help 跨站点脚本编制
High
Etomite index.php 跨站点脚本编制
High
FirePass 4100 SSL VPN 多重跨站点脚本编制
High
FireStats 多重跨站点脚本编制
High
主机允许从任何域进行 flash 访问
High
Flash Tag Cloud control for ASP.NET 跨站点脚本编制
High
FortiMail admin.fe 跨站点脚本编制
High
FotoWeb 多重跨站点脚本编制
High
FreeNAS index.php 跨站点脚本编制
High
FuseTalk 多重跨站点脚本编制(版本 3.2)
High
Geeklog profiles.php 扩展点脚本编制
High
GlassFish Administration Console 跨站点脚本编制
High
Glassfish 多重跨站点脚本编制
High
存储的跨站点脚本编制
High
GWExtranet 多重跨站点脚本编制
High
Habari 多重跨站点脚本编制
High
Helm Web Hosting Control Panel 多重跨站点脚本编制
High
Horde Application Framework icon_browser.php 跨站点脚本编制
High
Horde IMP fetchmailprefs.php 跨站点脚本编制
High
Horde Webmail addevent.php 跨站点脚本编制
High
HP Insight Management Agents 跨站点脚本编制
High
HP System Management Homepage 跨站点脚本编制
High
H-Sphere actions.php 跨站点脚本编制
High
H-Sphere login.php 跨站点脚本编制
High
IBM BladeCenter Advanced Management Module 多重跨站点脚本编制
High
IBM BladeCenter Advanced Management Module 跨站点脚本编制
High
IBM ENOVIA SmarTeam V5 LoginPage.aspx 跨站点脚本编制
High
IBM HTTP Server Expect 头跨站点脚本编制
High
IBM Metrica 跨站点脚本编制
High
IBM OpenAdmin Tool for Informix index.php 跨站点脚本编制
High
IBM Proventia Network Mail Security System 跨站点脚本编制
High
IBM Rational Build Forge 跨站点脚本编制
High
IBM Tivoli Access Manager for e-business 跨站点脚本编制
High
针对文件 FilepathLogin.html 跨站点脚本编制的 IBM Tivoli Continuous Data Protection
High
IBM WebSphere Application Server 管理控制台多重跨站点脚本编制
High
IBM WebSphere Application Server 管理控制台跨站点脚本编制
High
IBM WebSphere Portal Server 和 Lotus Web Content Management 跨站点脚本编制
High
Microsoft IIS idc 文件扩展名跨站点脚本编制
High
ImpressCMS CSSTidy css_optimiser.php 跨站点脚本编制
High
iNet Orkut Clone profile_social.php 跨站点脚本编制
High
i-Web 套件 default.asp 跨站点脚本编制
High
JavaBB member_list.jbb 跨站点脚本编制
High
JavaBB pm.externalSend.jbb 跨站点脚本编制
High
路径中的 Jetty 跨站点脚本编制
High
JEUS url.jsp 跨站点脚本编制
High
客户端存储跨站点脚本编制
Informational
客户端存储器投毒
Informational
Web 工作程序脚本 URL 操纵
Low
Juniper IVE 跨站点脚本编制
High
Kayako eSupport index.php 跨站点脚本编制
High
KnowledgeTree 多重跨站点脚本编制
High
LiveZilla server.php 跨站点脚本编制
High
@mail Webmail Client index.php 跨站点脚本编制
High
Mambo connector.php 跨站点脚本编制
High
Mambo 多重跨站点脚本编制(版本 4.6 RC1)
High
McAfee Network Security Manager 跨站点脚本编制
High
MemHT Portal admin.php 跨站点脚本编制
High
Microsoft Windows MHTML 跨站点脚本编制
Medium
Microsoft SharePoint 2007 Default.aspx 跨站点脚本编制
High
Microsoft SharePoint Server / SharePoint Services help.aspx 跨站点脚本编制
High
MKPortal handler_image.php 跨站点脚本编制
High
MODx index.php 跨站点脚本编制 (V2.0.2-pl)
High
MoinMoin Despam 跨站点脚本编制
High
MoinMoin 跨站点脚本编制
High
Mollify index.php 跨站点脚本编制
High
Moodle phpcoverage.remote.top.inc.php 跨站点脚本编制
High
Movable Type MT-Cumulus Plugin tagcloud.swf 跨站点脚本编制
High
MyBB generic_error.php 跨站点脚本编制
High
MyBB managegroup.php 跨站点脚本编制
High
MyBB moderation.php 跨站点脚本编制
High
MyBB 多重跨站点脚本编制 (低于 1.6.1 的版本)
High
NextAge 购物车软件 index.php 跨站点脚本编制
High
Nikira Fraud Management System“prompt”跨站点脚本编制
High
Novell Open Enterprise Server QuickFinder 多重跨站点脚本编制
High
Novell Teaming 跨站点脚本编制
High
Onyx 多重跨站点脚本编制
High
Open Blog 多重跨站点脚本编制
High
Open Text ECM 多重跨站点脚本编制
High
Open Virtual Desktop Session Manager 跨站点脚本编制
High
Oracle Application Server 10g login.jsp 跨站点脚本编制
High
Oracle Application Server login.jsp 跨站点脚本编制
High
Oracle Application Server welcomeuser.jsp 跨站点脚本编制
High
Oracle Forms ifcgi60.exe 跨站点脚本编制
High
Oracle Fusion Middleware 产品跨站点脚本编制
High
Oracle Portal 10g 跨站点脚本编制
High
Oracle Siebel Loyalty Management start.swe 跨站点脚本编制
High
Orion Network Performance Monitor 多重跨站点脚本编制
High
osCommerce“page”参数跨站点脚本编制
High
路径中的 OSSIM 跨站点脚本编制
High
osTicket ajax.php 跨站点脚本编制
High
pfSense 多重跨站点脚本编制
High
Phorum admin.php 跨站点脚本编制(5.1.19 及其以下的版本)
High
Phorum 多重跨站点脚本编制
High
Phorum posting.php 跨站点脚本编制
High
PHP Album main.php 跨站点脚本编制
High
phpFreeChat 多重跨站点脚本编制
High
PHP iCalendar 多重跨站点脚本编制
High
PHPShop register.html 跨站点脚本编制
High
PhpWebGallery isadmin.inc.php 跨站点脚本编制
High
Pimcore 跨站点脚本编制
High
PivotX 多重跨站点脚本编制
High
Pligg login.php 跨站点脚本编制
High
Pligg 搜索跨站点脚本编制
High
Pligg user.php 跨站点脚本编制
High
PowerEasy SiteWeaver User_ChkLogin.asp 跨站点脚本编制
High
Project Woodstock UTF-7“404 找不到页面”跨站点脚本编制
High
Q-Shop search.asp 跨站点脚本编制
High
使用“恶意 RSS 订阅源包含”的“跨站点脚本编制”
High
RunCms magpie_debug.php 跨站点脚本编制
High
SAP NetWeaver administration_setup.jsp 跨站点脚本编制
High
SAP NetWeaver container.jsp 跨站点脚本编制
High
SAP 产品 Cfolders 引擎多重跨站点脚本编制
High
Saurus CMS edit.php 跨站点脚本编制
High
Sawmill 多重跨站点脚本编制
High
Scratcher projects.php 跨站点脚本编制
High
Serendipity Freetag 插件跨站点脚本编制
High
Serendipity serendipity_admin_image_selector.php 跨站点脚本编制
High
Serendipity serendipity_admin.php 跨站点脚本编制
High
SilverStripe form.php 跨站点脚本编制
High
Simple PHP Blog comment_add_cgi.php 跨站点脚本编制
High
sNews 跨站点脚本编制
High
Snitz Forums 2000 pop_send_to_friend.asp 跨站点脚本编制
High
Sphider search.php 跨站点脚本编制
High
SPIP spip.php 跨站点脚本编制
High
Splunk segmentation_performance 跨站点脚本编制
High
路径中的 Sparta Systems TrackWise TeamAccess 多重跨站点脚本编制
High
Sun Java System Calendar Server 多重跨站点脚本编制
High
Sun Java Web Server Expect 头跨站点脚本编制
High
路径中的 Swiki 跨站点脚本编制
High
TemaTres 多重跨站点脚本编制
High
路径中的 TikiWiki CMS/Groupware 多重跨站点脚本编制
High
Tiki Wiki CMS Groupware tiki-edit_wiki_section.php 跨站点脚本编制
High
Tmax Soft JEUS url.jsp 跨站点脚本编制
High
Todoyu test.php 跨站点脚本编制
High
TWiki 多重跨站点脚本编制
High
Twiki 多重跨站点脚本编制(5.0.2 以下的版本)
High
TWiki 多重跨站点脚本编制 (V5.0.2)
High
TYPO3 Cumulus Tagcloud 扩展 tagcloud.swf 跨站点脚本编制
High
vBulletin index.php 跨站点脚本编制
High
vBulletin 多重跨站点脚本编制(版本 4.0.2)
High
VideoSearchScript index.php 跨站点脚本编制
High
VirtueMart 多重跨站点脚本编制
High
vtiger CRM index.php 跨站点脚本编制 (V5.2.1)
High
WampServer index.php 跨站点脚本编制
High
WeBid confirm.php 跨站点脚本编制
High
webSPELL 多重跨站点脚本编制
High
管理员控制台中的 WebSphere 多重跨站点脚本编制
High
路径中的 WebSVN 跨站点脚本编制
High
Wolf CMS Multiple 跨站点脚本编制
High
WoltLab Burning Board dereferrer.php 跨站点脚本编制
High
WordPress All-in-One Event Calendar Plugin 多重跨站点脚本编制
High
WordPress Cover WP Theme 跨站点脚本编制
High
WordPress Daily Maui Photo Widget Plugin wp-dailymaui-widget-control.php 跨站点脚本编制
High
WordPress(通过 Genericons 软件包)基于 DOM 的跨站点脚本编制
High
WordPress FeedList Plugin handler_image.php 跨站点脚本编制
High
WordPress 多重 base64 重定向跨站点脚本编制
High
WordPress MU wpmu-blogs.php 跨站点脚本编制
High
WordPress NextGEN Gallery 插件 media-rss.php 跨站点脚本编制
High
WordPress Organizer Plugin admin.php 跨站点脚本编制
High
WordPress Twitter Feed Plugin magpie_debug.php 跨站点脚本编制
High
WordPress Whois Search 插件 wp-whois-ajax.php 跨站点脚本编制
High
WordPress WP Comment Remix 插件跨站点脚本编制
High
DISTINCT
High
WordPress WP Photo Album Plugin wppa.php 跨站点脚本编制
High
WordPress WP-StarsRateBox Plugin wp-starsratebox.php 跨站点脚本编制
High
WordPress WP Survey And Quiz Tool Plugin create.php 跨站点脚本编制
High
WordPress WP-UserOnline 插件跨站点脚本编制
High
WordPress WP Featured Post with Thumbnail Plugin timthumb.php 跨站点脚本编制
High
WordPress Pretty Link Lite Plugin pretty-bar.php 跨站点脚本编制
High
路径中的 Xerox DocuShare 多重跨站点脚本编制
High
Xoops formdhtmltextarea_preview.php 跨站点脚本编制
High
通过远程文件包含进行跨站点脚本编制
High
xt:Commerce advanced_search_result.php 跨站点脚本编制
High
zenphoto admin.php 跨站点脚本编制
High
zenphoto 多重跨站点脚本编制
High
Zeus vs_diag.cgi 跨站点脚本编制
High
Zikula Application Framework index.php 跨站点脚本编制
High
Zikula Application Framework 多重跨站点脚本编制
High
WordPress All In One WP Security Plugin aiowpsec.php 跨站点脚本编制
High
WordPress Display Widgets Plugin admin-ajax.php 跨站点脚本编制
High
WordPress Subscribe To Comments Reloaded Plugin options-general.php 跨站点脚本编制
High
WordPress Kiwi Logo Carousel Plugin kiwi_logo_carousel_admin.php 跨站点脚本编制
High
WordPress WP Google Fonts Plugin google-fonts.php 跨站点脚本编制
High
WordPress Google Language Translator Plugin google-language-translator.php跨站点脚本编制
High
WordPress WP-Crontrol Plugin wp-crontrol.php 跨站点脚本编制
High
WordPress Manual Image Crop Plugin manual-image-crop.php 跨站点脚本编制
High
WordPress Easy Coming Soon Plugin desing_page_setting.php 跨站点脚本编制
High
WordPress Sound Cloud Is Gold Plugin sound-cloud-gold-functions.php 跨站点脚本编制
High
WordPress Broken Link Manager Plugin functions.php 跨站点脚本编制
High
WordPress Email Encoder bundle Plugin email-encoder-bundle.php 跨站点脚本编制
High
WordPress Olevmedia Shortcodes Plugin interface.php 跨站点脚本编制
High
WordPress Simple Fields Plugin simple_fields.php 跨站点脚本编制
High
WordPress Crazy Bone Plugin 跨站点脚本编制
High
SRI (Subresource Integrity) 的检查
Low
IPSwitch Imail Imonitor 拒绝服务
High
Allaire ColdFusion 源代码泄露和拒绝服务
High
Sun Java System Calendar 服务器拒绝服务
High
使用 URL 编码的 Apache Tomcat 目录列表
Medium
CVS 目录浏览
Medium
目录列表
Medium
Microsoft IIS Bdir.htr 目录列表
Medium
RCS 目录浏览
Medium
Microsoft FrontPage 目录列表
Medium
BEA WebLogic URL 欺骗目录列表
Medium
MacOS X Finder Apache 目录内容泄露
Medium
发现目录列表模式
Low
IBM WebSphere Application Server 目录列表
Medium
服务器端 JavaScript 目录列表
Medium
格式字符串远程命令执行
High
HTTP 响应分割
Medium
存储的响应分割
Medium
Aardvark Topsites PHP 目录列表
Low
Adobe ColdFusion MX 路径泄露
Low
AMFPHP Service Browser 公共访问
Low
Apache access_log 信息泄露
Low
Apache error_log 信息泄露
Low
Apache JServ 环境状态信息泄露
Low
Apache Multiviews 攻击
Low
Apache PHP 源代码泄露
Low
Apache server-info 信息泄露
Low
Apache server-status 信息泄露
Low
Apache stronghold-info 信息泄露
Low
Apache stronghold-status 信息泄露
Low
Apache Tomcat 无效字符路径泄露
Low
ASP.NET 定制错误路径泄露
Low
检测到 ASP.NET 项目转换报告
Low
检测到文件替代版本
Low
发现可高速缓存的登录页面
Low
发现可高速缓存的 SSL 页面
Low
Cart32 信息泄露、特权升级和拒绝服务
Low
ColdFusion 调试方式信息收集
Low
Global.asa 文件敏感信息检索
Low
检测到隐藏目录
Low
NT 和 IIS 数据流交替
Low
Microsoft FrontPage 配置信息泄露
Low
Microsoft FrontPage Server Extensions 重要信息泄露
Low
OpenSSL TLS Heartbeat 缓冲区通读(又名 Heartbleed 错误)
High
未实施加密
Low
Microsoft IIS“Translate: f”源代码泄露
Low
不正确的 Lotus Domino 管理数据库访问
Low
iScouter PHP Web Portal MySQL 密码检索
Low
JavaScript 劫持
Low
客户端(JavaScript)Cookie 引用
Informational
Lotus Domino Web 应用程序访问控制旁路
Low
Lotus Domino 数据库信息收集
Low
Microsoft IIS 4.0 未授权的数据库访问
Low
Talentsoft WebPlus Server 源代码泄露和信息泄露
Low
IBM Net.Data 内部变量显示
Low
Oracle Application Server 脚本/perl 目录映射源代码泄露
Low
应用程序输入限制旁路
Low
应用程序逻辑 Subversion
Informational
错误页面路径泄露
Low
在降级的旧加密上填充 Oracle(也称为 POODLE)
Medium
会话 cookie 中缺少 HttpOnly 属性
Low
加密会话(SSL)Cookie 中缺少 Secure 属性
Medium
Robots.txt 文件 Web 站点结构暴露
Low
HTML 注释敏感信息泄露
Informational
已解密的敏感数据
Low
.NET 解决方案文件下载
Low
WS_FTP.log 文件分析源代码泄露
Low
发现临时目录
Low
未授权的 Java Servlet 源代码访问
Low
应用程序错误
Informational
已解密的 __VIEWSTATE 参数
Low
Xitami Web 服务器信息泄露
Low
PHP phpinfo.php 信息泄露
Low
Bash Shell 历史记录文件检索
Low
HTML 注释内的 BEA Aqualogic 信息泄露
Low
BEA WebLogic weblogic.xml 信息泄露
Low
查询中接受的主体参数
Low
CMME 备份文件下载
Low
Cobalt RaQ 信息泄露
Low
发现压缩目录
Low
Concrete5 路径泄露
Low
缺少“Content-Security-Policy”头
Low
缺少“X-Content-Type-Options”头
Low
过度许可的 CORS 访问测试
Low
Apache AXIS 样本 Servlet 信息泄露
Low
包含文件源代码泄露
Low
Microsoft FrontPage Server Extensions 机器名泄露
Low
Global.asa 和 Global.asax 备份副本检索
Low
IIS Global.asa 和 Global.asax 检索
Low
Web 服务器访问控制文件不正确的许可权设置
Low
含 .NET 的 Microsoft IIS 路径泄露
Low
Microsoft ASP.NET“Application Trace”信息泄露
Low
Microsoft IIS 样本应用程序物理路径泄露
Low
Oracle Application Server 9i PORTAL_DEMO.ORG_CHART SQL 注入
Low
Oracle Java 流程管理器未授权的访问
Low
Apache Tomcat 示例 Servlet 路径泄露
Low
Microsoft FrontPage“_vti_cnf”信息泄露
Low
Web.config 文件配置设置泄露
Low
BEA WebLogic Server 版本暴露
Low
WS_FTP.LOG 信息泄露
Low
Zope Additems 脚本环境信息泄露
Low
Zope Server 空上载信息泄露
Low
DigiNotar 发放的 SSL 证书易受攻击
Low
.NET CS 文件下载
Low
检测到 .NET output-build.txt 文件
Low
.NET VB 文件下载
Low
Drupal“keys”路径泄露
Low
Flash 源代码泄露
Low
Microsoft FrontPage Server Extensions 编写日志信息泄露
Low
发现 Apache 缺省安装页面模式
Informational
自动填写未对密码字段禁用的 HTML 属性
Low
发现信用卡号模式(American Express)
Low
在未加密连接中发现信用卡号模式 (American Express)
Low
发现信用卡号模式(Diners Club)
Low
在未加密连接中发现信用卡号模式 (Diners Club)
Low
发现信用卡号模式(Discover)
Low
在未加密连接中发现信用卡号模式 (Discover)
Low
发现信用卡号模式(MasterCard)
Low
在未加密连接中发现信用卡号模式 (MasterCard)
Low
发现信用卡号模式
Low
在未加密连接中发现信用卡号模式
Low
发现信用卡号模式(Visa)
Low
在未加密连接中发现信用卡号模式 (Visa)
Low
发现电子邮件地址模式
Informational
发现 IIS 缺省安装页面模式
Informational
发现内部 IP 泄露模式
Informational
发现 iPlanet 缺省安装页面模式
Informational
发现可能的服务器路径泄露模式
Informational
发现敏感文件
Informational
发现 Web 应用程序源代码泄露模式
Low
发现社会保险号模式
Low
在未加密连接中发现社会保障号码模式
Low
SSL 请求中的查询参数
Low
检测到 Google 站点地图文件
Low
HP Insight Management Agents 路径泄露
Low
缺少 HTTP Strict-Transport-Security 头
Low
IBM BladeCenter Advanced Management Module 信息泄露
Low
IBM WebSphere Application Server 文件泄露
Low
IBM WebSphere 配置信息泄露
Low
IBM WebSphere 调试方式实施
Low
发现 IBM WebSphere 文档
Low
IBM WebSphere 密码存储为明文
Low
IBM WebSphere plugin-cfg.xml 信息泄露
Low
Webalizer 用途统计信息的泄露
Low
JBoss 空字节 JSP 源代码泄露
Low
Lotus Domino ?ReadEntries 信息泄露
Low
Microsoft Active Server Pages 信息泄露
Low
启用了 Microsoft ASP.NET 调试
Low
发现 Microsoft FrontPage Server Extensions 任务列表
Low
Microsoft IIS servervariables_vbscript.asp 信息泄露
Low
Microsoft IIS 缺少 Host 头信息泄露
Low
MyBB 多重路径泄露
Low
Netscape Server 配置信息泄露
Low
发现 Oracle 错误日志
Low
Oracle 日志文件信息泄露
Low
Oracle Reports Server XML 文件下载
Low
在参数值中找到了内部 IP 公开模式
Low
在参数值中找到了社会安全号模式
Low
查询中的密码参数
High
各种基于 PHP 的应用程序中的路径泄露
Low
PHP-CGI 查询字符串漏洞
High
PHPShop 路径泄露
Low
发现潜在订单信息
Low
发现潜在注册信息
Low
Resin“viewfile”servlet 文件下载
Low
Resin“viewfile”servlet 路径泄露
Low
Sun Java Application Server 路径泄露
Low
TYPO3 Cumulus Tagcloud 扩展路径泄露
Low
VBS 文件源泄露
Low
ViArt 购物车路径泄露
Low
缺少跨帧脚本编制防御
Low
缺少“X-XSS-Protection”头
Low
Zen Cart curltest.php 本地文件包含
Low
Privacy
Low
不安全索引
Medium
Lotus Domino Web 服务器文件检索
High
Netscape Administration Server 密码检索
High
HTTP PUT 方法站点篡改
High
使用 HTTP 动词篡改的认证旁路
Medium
使用 SQL 注入的认证旁路
High
Macromedia Dreamweaver 远程数据库未授权的访问
High
Netscape Enterprise Server/Sun ONE 未授权的管理特权和拒绝服务
High
JBoss Java 管理扩展控制台认证旁路
High
使用非认证用户的特权升级
High
使用特权不足用户的特权升级
High
Apache Tomcat Context Administration Tool 无特权访问
Medium
Banner Rotating 01 特权升级
Medium
通过 Cookie 操纵的可能的垂直特权升级
Low
Microsoft FrontPage Extensions 站点篡改
Medium
应用流程 Subversion 所用的 Webevent 管理权
Medium
BEA WebLogic 管理界面
Medium
Microsoft FrontPage Server Extensions 管理界面
Medium
Oracle Application Server 管理界面
Medium
永久 Cookie 包含敏感的会话信息
Low
注销后会话未失效
High
已解密的登录请求
High
基本认证未加密
High
SSL 证书将要到期
Informational
SSL 证书到期
Informational
SSL 证书尚未生效
Informational
SSL 证书域名不匹配
Informational
发现自签署 SSL 证书
Informational
整数溢出
Informational
LDAP 注入
High
SMTP MX 注入
High
通知网络钓鱼
Low
Poison Null Byte Windows 文件检索
High
Poison Null Byte Unix 文件检索
High
Ajax File and Image Manager PHP 代码注入
High
Apache Struts 2“includeParams”远程命令执行
High
Alibaba Web 服务器文件下载和远程命令执行
High
参数系统调用代码注入
High
Microsoft IIS Unicode 目录遍历
High
文件参数 Shell 命令注入
High
FormNow CGI Shell 命令执行
High
Java 编组代码执行
High
Apache Struts2 远程代码执行
High
Nimda 蠕虫远程命令执行
High
Oracle Web Listener 远程命令执行
High
Perl 评估的参数 Shell 命令注入
High
Perl 解释器脚本任意命令执行
High
PHF CGI 远程命令执行
High
端口侦听器命令注入
High
UtilMind Maillist.cgi 远程命令执行
High
DotNetNuke BDPDT 模块命令执行
High
远程代码执行
High
不安全的反射
High
Movable Type (MT) 升级程序代码执行和 SQL 注入
High
通过 Bash 进行远程命令执行(也称为 Shellshock,也称为 Bashdoor)Bashdoor)
High
VirtueMart index.php 命令执行
High
WordPress theme.php 命令执行
High
Adobe ColdFusion 多重路径遍历
Medium
Apache MyFaces “javax.faces.resource” 路径遍历
Medium
IIS IDQ.DLL 目录遍历
Medium
Allaire JRun 2.3.X 样本源代码泄露
Medium
BigBrother 远程文件下载
Medium
目录遍历任意文件下载
Medium
Unix 文件参数变更
Medium
Windows 文件参数变更
Medium
Htgrep 文件内容检索
Medium
Caucho Resin 路径遍历
Medium
Sun ONE/iPlanet Administration Server 目录遍历
Medium
Dokeos authldap.php 路径遍历
Medium
Dokeos testheaderpage.php 路径遍历
Medium
eFront language.php 路径遍历
Medium
Etomite index.php 路径遍历
Medium
Exponent CMS download.php 路径遍历
Medium
F5 Data Manager 多重路径遍历
Medium
路径遍历
Medium
IBM BladeCenter Advanced Management Module cindefn.php 路径遍历
Medium
IBM Tivoli Access Manager for e-business 路径遍历
Medium
Jcow index.php 路径遍历
Medium
Joomla! AllVideos 插件 download.php 路径遍历
Medium
Joomla Canteen 组件 index.php 路径遍历
Medium
Joomla ccNewsletter 组件 index.php 路径遍历
Medium
Joomla Dione Form  Wizard 组件 index.php 路径遍历
Medium
Joomla! GCalendar 组件 index.php 路径遍历
Medium
Joomla! Graphics Component index.php 路径遍历
Medium
Joomla! Highslide JS Component index.php 路径遍历
Medium
Joomla! ionFiles 组件 download.php 路径遍历
Medium
Joomla JGrid 组件 index.php 路径遍历
Medium
Joomla MyBlog 组件 index.php 路径遍历
Medium
Joomla! PicSell 组件 index.php 路径遍历
Medium
Joomla Pro Desk 组件 index.php 路径遍历
Medium
Joomla! SmartSite Component index.php 路径遍历
Medium
JSPWiki Edit.jsp 路径遍历
Medium
LineWeb index.php 路径遍历
Medium
MODx tvs.php 路径遍历
Medium
Namazu 路径遍历
Medium
Netscape Server 任意文件下载
Medium
phpList index.php 路径遍历(V2.10.8)
Medium
PhpWebGallery 多重路径遍历
Medium
PostNuke 目录遍历
Medium
SAP Crystal Reports Server 路径遍历
Medium
sendcard 路径遍历
Medium
Sugar Sales 路径遍历
Medium
Sugar Suite acceptDecline.php 路径遍历
Medium
TANDBERG Video Communication Server 路径遍历
Medium
Tiki Wiki CMS Groupware tiki-jsplugin.php 路径遍历
Medium
TomatoCart json.php 路径遍历
Medium
VirtueMart 多重路径遍历
Medium
Vivvo CMS files.php 文件检索
Medium
vtiger CRM 多重路径遍历
Medium
WeBid active_auctions.php 路径遍历
Medium
Winmail Server main.php 路径遍历
Medium
WoltLab Burning Board index.php 路径泄露
Medium
WordPress SEO Tools Plugin get_download.php 路径遍历
Medium
Xoops 多重路径遍历(2.3.x 版本)
Medium
Zen Cart initsystem.php 路径遍历
Medium
Zen Cart 多重路径遍历
Medium
检测到应用程序测试脚本
Informational
归档文件下载
Low
Visual Studio .NET 文件下载
Low
包含文件下载
Low
临时文件下载
Low
直接访问管理页面
Low
Ariadne CMS view.php 远程文件包含
High
AWStats PHP 命令执行
High
CMME 信息泄露
High
Drake CMS PHP 远程文件包含
High
Joomla AjaxChat 组件远程文件包含
High
Joomla Dada Mail Manager 组件 config.dadamail.php 远程文件包含
High
Joomla! index.php 远程文件包含
High
Joomla VirtueMart Google Base 组件 admin.googlebase.php 远程文件包含
High
JSP 文件包含
High
通过远程文件包含事项进行发布
High
phpPgAdmin redirect.php 远程文件包含
High
PHP 远程文件包含
High
Cookie 上的 PHP 远程文件包含
High
Apache Struts2 ClassLoader 操作
High
VirtueMart 多远程文件包含
High
XOOPS 多重 PHP 代码注入
High
ZeroBoard 多远程文件包含
High
备用链式证书伪造
Medium
针对 SSL/TLS 的浏览器探索(又名 BEAST)
Informational
通过超文本的自适应压缩进行的浏览器侦查和渗透(又名 BREACH)
Medium
支持不推荐使用的 SSL 版本
Medium
Decrypting RSA with Obsolete and Weakened eNcryption(即 DROWN)
High
重构 RSA 导出键(又称为 FREAK)
Medium
Logjam(Diffie-Hellman 密钥交换降级)
Medium
检测到 RC4 密码套件
Medium
检测到 SHA-1 密码套件
Medium
支持弱 SSL 密码套件
Medium
源 IP 已公开
Medium
外部会话标识实施
High
会话标识未更新
Medium
会话定置
High
AdMan editCampaign.php SQL 注入
High
ASPPortal reply.asp SQL 注入
High
aspProductCatalog default.asp SQL 注入
High
SQL 盲注
High
客户端(JavaScript)SQL 查询构造
Informational
MongoDB NoSQL 注入
High
SQL 注入命令执行
High
Oracle Application Server PL/SQL 未授权的 SQL 查询执行
High
SQL 注入
High
参数值中的 SQL 查询
Informational
bitweaver 多重 SQL 注入
High
ClipBucket 多重 SQL 注入
High
ClipShare channel_detail.php SQL 注入
High
Concrete5 SQL 注入
High
CubeCart index.php SQL 注入
High
CyberBuild 多重 SQL 注入
High
DoceboCMS Accept-Language 头 SQL 注入
High
Dolphin get_list.php SQL 注入
High
dotProject index.php SQL 注入
High
Drupal Ajax Checklist 模块 SQL 注入
High
e107 Forum Plugin forum_admin.php SQL 注入
High
e107 Lyrics Plugin lyrics_song.php SQL 注入
High
e107 多重 SQL 注入
High
e107 User Journals Plugin userjournals.php SQL 注入
High
e107 ZoGo-Shop Plugin product_details.php SQL 注入
High
easyLink detail.php SQL 注入
High
ECShop search.php SQL 注入
High
eFront 多重 SQL 注入
High
Etomite index.php SQL 注入 (V1.1)
High
Fusetalk 多重 SQL 注入
High
GForge 多重 SQL 注入
High
glFusion Cookie SQL 注入
High
发现数据库错误模式
Low
iNet Orkut Clone profile_social.php SQL 注入
High
Joomla! Barter 组件 SQL 注入
High
Joomla! Comlantis Visitors Google Map 组件 map_data.php SQL 注入
High
Joomla! Media Mall Factory 组件 index.php SQL 注入
High
Joomla! 多重 SQL 注入
High
Joomla redSHOP 组件 index.php SQL 注入
High
Joomla! TimeTrack 组件 index.php SQL 注入
High
客户端 SQL 注入
Informational
lighttpd SQL 注入和路径遍历漏洞
High
MDPro My_eGallery Module index.php SQL 注入
High
MemHT Portal index.php SQL 注入
High
miniBB index.php SQL 注入
High
ModernBill user.php SQL 注入
High
MODx“a”参数 (index.php) SQL 注入
High
MODx“id”参数 (index.php) SQL 注入
High
多重 Joomla! 组件 SQL 注入
High
MyBB managegroup.php SQL 注入
High
MyBB 多重 SQL 注入
High
MyBB private.php SQL 注入
High
Nuke-Evolution modules.php SQL 注入
High
OneCMS staff.php SQL 注入
High
Oracle Application Server SQL 注入
High
osTicket ajax.php SQL 注入
High
paFileDB articles.php SQL 注入
High
PhotoStore 多重 SQL 注入
High
phpBB memberlist.php SQL 注入
High
phpFaber TopSites index.php SQL 注入
High
PHP-Fusion Book Panel Infusion books.php SQL Injection
High
PHP-Fusion Recepies 模块 recept.php SQL 注入
High
PHP-Fusion vArcade 模块 SQL 注入
High
PHPList Mailing List Manager SQL 注入
High
PHP-Nuke BookCatalog 模块 modules.php SQL 注入
High
PHP-Nuke 下载模块 SQL 注入
High
PHP Pro Bid categories.php SQL 注入
High
phpWebSite links.php SQL 注入
High
探测 MongoDB
High
PunBB search.php SQL 注入
High
Q-Shop users.asp SQL 注入
High
Scratcher projects.php SQL 注入
High
Serendipity serendipity_admin.php SQL 注入
High
Simple Machines Forum 外挂 Seo4SMF SQL 注入
High
SimpleNews print.php SQL 注入
High
SourceBans index.php SQL 注入
High
SugarCRM index.php SQL 注入
High
Sugar Sales index.php SQL 注入
High
SweetRice index.php SQL 注入
High
vBulletin attachmentpermission.php SQL 注入
High
VirtueMart 多重 SQL 注入
High
webSPELL getlang.php SQL 注入
High
WikkaWiki "/UserSettings" SQL 注入
High
WordPress Count Per Day 插件 notes.php SQL 注入
High
WordPress Newsletter Plugin stnl_iframe.php SQL 注入
High
WordPress“p”SQL 注入
High
WordPress 搜索功能 SQL 注入
High
WordPress WP Comment Remix Plugin SQL 注入
High
WordPress WP e-Commerce 插件 SQL 注入
High
WordPress WP Forum Server Plugin feed.php SQL 注入
High
WordPress WP-StarsRateBox Plugin wp-starsratebox.php SQL 注入
High
WordPress Community Events 插件 tracker.php SQL 注入
High
WordPress Filebase 插件 wpfb-ajax.php SQL 注入
High
xbtit index.php SQL 注入
High
Xoops Article 模块多重 SQL 注入
High
XOOPS Makale 模块 makale.php SQL 注入
High
zenphoto full-image.php SQL 注入
High
服务器端伪指令文件检索
High
发现不存在的域的链接
High
通过 URL 重定向钓鱼
High
Comm100 Forum Redirect.aspx URL 重定向
High
Dojo Toolkit URL 重定向
High
HP System Management Homepage“RedirectUrl”参数 URL 重定向
High
IBM WebSphere ibm_security_logout URL 重定向
High
开放式重定向
Medium
Juniper IVE URL 重定向
High
Microsoft Outlook Web Access for Exchange URL 重定向
High
Microsoft SharePoint URL 重定向
High
OSSIM index.php URL 重定向
High
WoltLab Burning Board dereferrer.php URL 重定向
High
协议操纵
High
XML 外部实体文件泄露
High
Apache AXIS XML 外部实体文件检索
High
XML 注入
Medium
XPath 注入
Medium
详细的修复任务
高优先级修复任务
中优先级修复任务
低优先级修复任务
将“autocomplete”属性正确设置为“off”
1
如果“input”元素的“password”字段中缺失“autocomplete”属性,请进行添加并将其设置为“off“。
如果“autocomplete”属性设置为“on”,请将其更改为“off”。
例如:易受攻击站点:
<formaction="AppScan.html" method="get">
Username:<input type="text" name="firstname" /><br />
Password:<input type="password" name="lastname" />
<inputtype="submit" value="Submit" />
<form>
非易受攻击站点:
<formaction="AppScan.html" method="get">
Username:<input type="text" name="firstname" /><br />
Password:<input type="password" name="lastname"autocomplete="off"/>
<inputtype="submit" value="Submit" />
<form>
要修订的变量
类型
名称
URL
Page
tologin
http://10.1.20.137:8085/tologin
相关联的问题类型
问题类型
计数
严重性
自动填写未对密码字段禁用的 HTML 属性
1
Low
将您的服务器配置为使用“Content-Security-Policy”头
5
将您的服务器配置为发送“Content-Security-Policy”头。对于Apache,请参阅:
http://httpd.apache.org/docs/2.2/mod/mod_headers.html
对于 IIS,请参阅:
https://technet.microsoft.com/pl-pl/library/cc753133%28v=ws.10%29.aspx
对于 nginx,请参阅:
http://nginx.org/en/docs/http/ngx_http_headers_module.html
要修订的变量
类型
名称
URL
Page
respond.min.js
http://10.1.20.137:8085/js/respond.min.js
Page
footer.js
http://10.1.20.137:8085/js/footer.js
Page
header.js
http://10.1.20.137:8085/js/header.js
Page
bootstrap.min.js
http://10.1.20.137:8085/js/bootstrap.min.js
Page
jquery.toaster.js
http://10.1.20.137:8085/js/jquery.toaster.js
相关联的问题类型
问题类型
计数
严重性
缺少“Content-Security-Policy”头
5
Low
将您的服务器配置为使用“X-Content-Type-Options”头
5
将您的服务器配置为在所有传出请求上发送值为“nosniff”的“X-Content-Type-Options”头。对于Apache,请参阅:
http://httpd.apache.org/docs/2.2/mod/mod_headers.html
对于 IIS,请参阅:
https://technet.microsoft.com/pl-pl/library/cc753133%28v=ws.10%29.aspx
对于 nginx,请参阅:
http://nginx.org/en/docs/http/ngx_http_headers_module.html
要修订的变量
类型
名称
URL
Page
respond.min.js
http://10.1.20.137:8085/js/respond.min.js
Page
footer.js
http://10.1.20.137:8085/js/footer.js
Page
header.js
http://10.1.20.137:8085/js/header.js
Page
bootstrap.min.js
http://10.1.20.137:8085/js/bootstrap.min.js
Page
jquery.toaster.js
http://10.1.20.137:8085/js/jquery.toaster.js
相关联的问题类型
问题类型
计数
严重性
缺少“X-Content-Type-Options”头
5
Low
将您的服务器配置为使用“X-XSS-Protection”头
5
将您的服务器配置为在所有传出请求上发送值为“1”(例如已启用)的“X-XSS-Protection”头。对于 Apache,请参阅:
http://httpd.apache.org/docs/2.2/mod/mod_headers.html
对于 IIS,请参阅:
https://technet.microsoft.com/pl-pl/library/cc753133%28v=ws.10%29.aspx
对于 nginx,请参阅:
http://nginx.org/en/docs/http/ngx_http_headers_module.html
要修订的变量
类型
名称
URL
Page
respond.min.js
http://10.1.20.137:8085/js/respond.min.js
Page
footer.js
http://10.1.20.137:8085/js/footer.js
Page
header.js
http://10.1.20.137:8085/js/header.js
Page
bootstrap.min.js
http://10.1.20.137:8085/js/bootstrap.min.js
Page
jquery.toaster.js
http://10.1.20.137:8085/js/jquery.toaster.js
相关联的问题类型
问题类型
计数
严重性
缺少“X-XSS-Protection”头
5
Low
将每个第三方脚本/链接元素支持添加到 SRI(Subresource Integrity)。
2
将子资源完整性添加到源不在您的域中的每个脚本/链接。
W3C 子资源完整性:
https://www.w3.org/TR/SRI/
SRI 散列生成器:
https://srihash.org
不支持 SRI 的样本脚本元素:
<scriptsrc="https://example.com/example-framework.js"
crossorigin="anonymous"></script>
支持 SRI 的样本脚本元素:
<scriptsrc="https://example.com/example-framework.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>
要修订的变量
类型
名称
URL
Page
tologin
http://10.1.20.137:8085/tologin
Page
tomain
http://10.1.20.137:8085/tomain
相关联的问题类型
问题类型
计数
严重性
SRI (Subresource Integrity) 的检查
2
Low
禁用 WebDAV,或者禁止不需要的 HTTP 方法。
1
如果服务器不需要支持 WebDAV,请务必禁用它,或禁止不必要的 HTTP 方法(动词)。
要修订的变量
类型
名称
URL
Page
/
http://10.1.20.137:8085/
相关联的问题类型
问题类型
计数
严重性
启用了不安全的“OPTIONS”HTTP 方法
1
Low
应用程序数据
参数
名称
类型
URL
失败请求
原因
URL
响应状态“404” - 找不到
http://10.1.20.137:8085/a
响应状态“404” - 找不到
http://10.1.20.137:8085/Index/checkLogin
响应状态“404” - 找不到
http://10.1.20.137:8085/feedback
响应状态“404” - 找不到
http://10.1.20.137:8085/
响应状态“400” - 错误请求
http://10.1.20.137:8085/js/jquery-2.1.4/target[
JavaScript
脚本
URL
var rootUrl = '';
http://10.1.20.137:8085/tologin
$(function(){
$("#but").click(function(){
$.ajax({
url:"/checkLogin",
type:"post",
dataType:"json",
data:{
"admin":$("#username").val(),
"password":$("#login-password").val(),
},
success:function(data){
if(data.mess){
location.href="/tomain";
}
else{
$("#f1").html("用户名或密码输入错误");
}
},
error:function(data){
alert("请填写正确信息!!!");
}
});
});
/* 注册 */
/* 先验证用户名是否存在*/
var flag;
$("#regadmin").blur(function(){
$.ajax({
url:"/checkRegister",
type:"post",
dataType:"json",
data:{
"admin":$("#regadmin").val(),
},
success:function(data){
if(data.mess){
flag=data.mess;
$("#f2").html("用户名已存在,请重新输入");
}
},
error:function(data){
alert("请填写正确信息!!!");
}
})
/* 获取焦点的时候 */
$("#regadmin").focus(function(){
$("#f2").html("");
})
/* 点击获取验证码的时候 */
var hash;
var tamp;
var wait=60;
$("#verify_refresh").click(function(){
$.ajax({
dataType:"json",
type:"post",
url:"/sendMsg",
data:{"telephone":$("#telephone").val()},
xhrFields: {
withCredentials: true
},
success: function (data) {
hash = data.hash;
tamp = data.tamp;
},
error: function (data) {
alert("请填写正确信息!!!");
}
});
})
/* 设置时间 */
function setButtonStatus(that) {
if (wait == 0) {
that.removeAttribute("disabled");
that.value="免费获取验证码";
wait = 60;
} else {
that.setAttribute("disabled", true);
that.value=wait+"秒后可以重新发送";
wait--;
setTimeout(function() {
setButtonStatus(that)
}, 1000)
}
}
/* 点击注册 */
$("#butregster").click(function(){
$.ajax({
dataType:"json",
type:"post",
url:"/validate",
data:{
"msgNum":$("#register-password").val(),/* 验证码 */
"hash":hash,
"tamp":tamp,
"telphone":$("#telephone").val(),
"admin":$("#regadmin").val(),/* 用户名 */
"password":$("#registerPassword").val()/* 密码 */
},
success: function (data) {
if(data.flag){
location.href="/tologin";
}else{
alert("验证码错误或超时");
}
},
error: function (data) {
alert("请填写正确信息!!!");
}
});
})
})
})
http://10.1.20.137:8085/tologin
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-41774271-1', 'auto');
ga('send', 'pageview');
http://10.1.20.137:8085/tologin
$("#nav-index").addClass('active');
http://10.1.20.137:8085/tologin
return false;
http://10.1.20.137:8085/tologin
setButtonStatus(this)
http://10.1.20.137:8085/tologin
/**
* @preserve HTML5 Shiv 3.7.2 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Licensed
*/
!function(a,b){function c(a,b){var c=a.createElement("p"),d=a.getElementsByTagName("head")[0]||a.documentElement;return c.innerHTML="x<style>"+b+"</style>",d.insertBefore(c.lastChild,d.firstChild)}function d(){var a=t.elements;return"string"==typeof a?a.split(" "):a}function e(a,b){var c=t.elements;"string"!=typeof c&&(c=c.join(" ")),"string"!=typeof a&&(a=a.join(" ")),t.elements=c+" "+a,j(b)}function f(a){var b=s[a[q]];return b||(b={},r++,a[q]=r,s[r]=b),b}function g(a,c,d){if(c||(c=b),l)return c.createElement(a);d||(d=f(c));var e;return e=d.cache[a]?d.cache[a].cloneNode():p.test(a)?(d.cache[a]=d.createElem(a)).cloneNode():d.createElem(a),!e.canHaveChildren||o.test(a)||e.tagUrn?e:d.frag.appendChild(e)}function h(a,c){if(a||(a=b),l)return a.createDocumentFragment();c=c||f(a);for(var e=c.frag.cloneNode(),g=0,h=d(),i=h.length;i>g;g++)e.createElement(h[g]);return e}function i(a,b){b.cache||(b.cache={},b.createElem=a.createElement,b.createFrag=a.createDocumentFragment,b.frag=b.createFrag()),a.createElement=function(c){return t.shivMethods?g(c,a,b):b.createElem(c)},a.createDocumentFragment=Function("h,f","return function(){var n=f.cloneNode(),c=n.createElement;h.shivMethods&&("+d().join().replace(/[\w\-:]+/g,function(a){return b.createElem(a),b.frag.createElement(a),'c("'+a+'")'})+");return n}")(t,b.frag)}function j(a){a||(a=b);var d=f(a);return!t.shivCSS||k||d.hasCSS||(d.hasCSS=!!c(a,"article,aside,dialog,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}mark{background:#FF0;color:#000}template{display:none}")),l||i(a,d),a}var k,l,m="3.7.2",n=a.html5||{},o=/^<|^(?:button|map|select|textarea|object|iframe|option|optgroup)$/i,p=/^(?:a|b|code|div|fieldset|h1|h2|h3|h4|h5|h6|i|label|li|ol|p|q|span|strong|style|table|tbody|td|th|tr|ul)$/i,q="_html5shiv",r=0,s={};!function(){try{var a=b.createElement("a");a.innerHTML="<xyz></xyz>",k="hidden"in a,l=1==a.childNodes.length||function(){b.createElement("a");var a=b.createDocumentFragment();return"undefined"==typeof a.cloneNode||"undefined"==typeof a.createDocumentFragment||"undefined"==typeof a.createElement}()}catch(c){k=!0,l=!0}}();var t={elements:n.elements||"abbr article aside audio bdi canvas data datalist details dialog figcaption figure footer header hgroup main mark meter nav output picture progress section summary template time video",version:m,shivCSS:n.shivCSS!==!1,supportsUnknownElements:l,shivMethods:n.shivMethods!==!1,type:"default",shivDocument:j,createElement:g,createDocumentFragment:h,addElements:e};a.html5=t,j(b)}(this,document);
http://10.1.20.137:8085/js/html5shiv.min.js
/*! Respond.js v1.4.2: min/max-width media query polyfill * Copyright 2013 Scott Jehl
* Licensed under https://github.com/scottjehl/Respond/blob/master/LICENSE-MIT
*  */
!function(a){"use strict";a.matchMedia=a.matchMedia||function(a){var b,c=a.documentElement,d=c.firstElementChild||c.firstChild,e=a.createElement("body"),f=a.createElement("div");return f.id="mq-test-1",f.style.cssText="position:absolute;top:-100em",e.style.background="none",e.appendChild(f),function(a){return f.innerHTML='&shy;<style media="'+a+'"> #mq-test-1 { width: 42px; }</style>',c.insertBefore(e,d),b=42===f.offsetWidth,c.removeChild(e),{matches:b,media:a}}}(a.document)}(this),function(a){"use strict";function b(){u(!0)}var c={};a.respond=c,c.update=function(){};var d=[],e=function(){var b=!1;try{b=new a.XMLHttpRequest}catch(c){b=new a.ActiveXObject("Microsoft.XMLHTTP")}return function(){return b}}(),f=function(a,b){var c=e();c&&(c.open("GET",a,!0),c.onreadystatechange=function(){4!==c.readyState||200!==c.status&&304!==c.status||b(c.responseText)},4!==c.readyState&&c.send(null))};if(c.ajax=f,c.queue=d,c.regex={media:/@media[^\{]+\{([^\{\}]*\{[^\}\{]*\})+/gi,keyframes:/@(?:\-(?:o|moz|webkit)\-)?keyframes[^\{]+\{(?:[^\{\}]*\{[^\}\{]*\})+[^\}]*\}/gi,urls:/(url\()['"]?([^\/\)'"][^:\)'"]+)['"]?(\))/g,findStyles:/@media *([^\{]+)\{([\S\s]+?)$/,only:/(only\s+)?([a-zA-Z]+)\s?/,minw:/\([\s]*min\-width\s*:[\s]*([\s]*[0-9\.]+)(px|em)[\s]*\)/,maxw:/\([\s]*max\-width\s*:[\s]*([\s]*[0-9\.]+)(px|em)[\s]*\)/},c.mediaQueriesSupported=a.matchMedia&&null!==a.matchMedia("only all")&&a.matchMedia("only all").matches,!c.mediaQueriesSupported){var g,h,i,j=a.document,k=j.documentElement,l=[],m=[],n=[],o={},p=30,q=j.getElementsByTagName("head")[0]||k,r=j.getElementsByTagName("base")[0],s=q.getElementsByTagName("link"),t=function(){var a,b=j.createElement("div"),c=j.body,d=k.style.fontSize,e=c&&c.style.fontSize,f=!1;return b.style.cssText="position:absolute;font-size:1em;width:1em",c||(c=f=j.createElement("body"),c.style.background="none"),k.style.fontSize="100%",c.style.fontSize="100%",c.appendChild(b),f&&k.insertBefore(c,k.firstChild),a=b.offsetWidth,f?k.removeChild(c):c.removeChild(b),k.style.fontSize=d,e&&(c.style.fontSize=e),a=i=parseFloat(a)},u=function(b){var c="clientWidth",d=k[c],e="CSS1Compat"===j.compatMode&&d||j.body[c]||d,f={},o=s[s.length-1],r=(new Date).getTime();if(b&&g&&p>r-g)return a.clearTimeout(h),h=a.setTimeout(u,p),void 0;g=r;for(var v in l)if(l.hasOwnProperty(v)){var w=l[v],x=w.minw,y=w.maxw,z=null===x,A=null===y,B="em";x&&(x=parseFloat(x)*(x.indexOf(B)>-1?i||t():1)),y&&(y=parseFloat(y)*(y.indexOf(B)>-1?i||t():1)),w.hasquery&&(z&&A||!(z||e>=x)||!(A||y>=e))||(f[w.media]||(f[w.media]=[]),f[w.media].push(m[w.rules]))}for(var C in n)n.hasOwnProperty(C)&&n[C]&&n[C].parentNode===q&&q.removeChild(n[C]);n.length=0;for(var D in f)if(f.hasOwnProperty(D)){var E=j.createElement("style"),F=f[D].join("\n");E.type="text/css",E.media=D,q.insertBefore(E,o.nextSibling),E.styleSheet?E.styleSheet.cssText=F:E.appendChild(j.createTextNode(F)),n.push(E)}},v=function(a,b,d){var e=a.replace(c.regex.keyframes,"").match(c.regex.media),f=e&&e.length||0;b=b.substring(0,b.lastIndexOf("/"));var g=function(a){return a.replace(c.regex.urls,"$1"+b+"$2$3")},h=!f&&d;b.length&&(b+="/"),h&&(f=1);for(var i=0;f>i;i++){var j,k,n,o;h?(j=d,m.push(g(a))):(j=e[i].match(c.regex.findStyles)&&RegExp.$1,m.push(RegExp.$2&&g(RegExp.$2))),n=j.split(","),o=n.length;for(var p=0;o>p;p++)k=n[p],l.push({media:k.split("(")[0].match(c.regex.only)&&RegExp.$2||"all",rules:m.length-1,hasquery:k.indexOf("(")>-1,minw:k.match(c.regex.minw)&&parseFloat(RegExp.$1)+(RegExp.$2||""),maxw:k.match(c.regex.maxw)&&parseFloat(RegExp.$1)+(RegExp.$2||"")})}u()},w=function(){if(d.length){var b=d.shift();f(b.href,function(c){v(c,b.href,b.media),o[b.href]=!0,a.setTimeout(function(){w()},0)})}},x=function(){for(var b=0;b<s.length;b++){var c=s[b],e=c.href,f=c.media,g=c.rel&&"stylesheet"===c.rel.toLowerCase();e&&g&&!o[e]&&(c.styleSheet&&c.styleSheet.rawCssText?(v(c.styleSheet.rawCssText,e,f),o[e]=!0):(!/^([a-zA-Z:]*\/\/)/.test(e)&&!r||e.replace(RegExp.$1,"").split("/")[0]===a.location.host)&&("//"===e.substring(0,2)&&(e=a.location.protocol+e),d.push({href:e,media:f})))}w()};x(),c.update=x,c.getEmValue=t,a.addEventListener?a.addEventListener("resize",b,!1):a.attachEvent&&a.attachEvent("onresize",b)}}(this);
http://10.1.20.137:8085/js/respond.min.js
/*! jQuery v1.11.3 | (c) 2005, 2015 jQuery Foundation, Inc. | jquery.org/license */
!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.3",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(d.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor(null)},push:f,sort:c.sort,splice:c.splice},m.extend=m.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||m.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(m.isPlainObject(c)||(b=m.isArray(c)))?(b?(b=!1,f=a&&m.isArray(a)?a:[]):f=a&&m.isPlainObject(a)?a:{},g[d]=m.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},m.extend({expando:"jQuery"+(l+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===m.type(a)},isArray:Array.isArray||function(a){return"array"===m.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){return!m.isArray(a)&&a-parseFloat(a)+1>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==m.type(a)||a.nodeType||m.isWindow(a))return!1;try{if(a.constructor&&!j.call(a,"constructor")&&!j.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(k.ownLast)for(b in a)return j.call(a,b);for(b in a);return void 0===b||j.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?h[i.call(a)]||"object":typeof a},globalEval:function(b){b&&m.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(o,"ms-").replace(p,q)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b,c){var d,e=0,f=a.length,g=r(a);if(c){if(g){for(;f>e;e++)if(d=b.apply(a[e],c),d===!1)break}else for(e in a)if(d=b.apply(a[e],c),d===!1)break}else if(g){for(;f>e;e++)if(d=b.call(a[e],e,a[e]),d===!1)break}else for(e in a)if(d=b.call(a[e],e,a[e]),d===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(n,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(r(Object(a))?m.merge(c,"string"==typeof a?[a]:a):f.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(g)return g.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,f=0,g=a.length,h=r(a),i=[];if(h)for(;g>f;f++)d=b(a[f],f,c),null!=d&&i.push(d);else for(f in a)d=b(a[f],f,c),null!=d&&i.push(d);return e.apply([],i)},guid:1,proxy:function(a,b){var c,e,f;return"string"==typeof b&&(f=a[b],b=a,a=f),m.isFunction(a)?(c=d.call(arguments,2),e=function(){return a.apply(b||this,c.concat(d.call(arguments)))},e.guid=a.guid=a.guid||m.guid++,e):void 0},now:function(){return+new Date},support:k}),m.each("Boolean Number String Function Array Date RegExp Object Error".split(" "),function(a,b){h["[object "+b+"]"]=b.toLowerCase()});function r(a){var b="length"in a&&a.length,c=m.type(a);return"function"===c||m.isWindow(a)?!1:1===a.nodeType&&b?!0:"array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a}var s=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+1*new Date,v=a.document,w=0,x=0,y=ha(),z=ha(),A=ha(),B=function(a,b){return a===b&&(l=!0),0},C=1<<31,D={}.hasOwnProperty,E=[],F=E.pop,G=E.push,H=E.push,I=E.slice,J=function(a,b){for(var c=0,d=a.length;d>c;c++)if(a[c]===b)return c;return-1},K="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",L="[\\x20\\t\\r\\n\\f]",M="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",N=M.replace("w","w#"),O="\...
http://10.1.20.137:8085/js/jquery.min.js
/**
* Created by cpc on 12/27/15.
*/
function noticeInfo(content) {
$.toaster({ title : content, priority : 'info', message : ')' });
}
function noticeWarning(content) {
$.toaster({ title : content, priority : 'warning', message : '(' });
}
function sendEmail() {
$.ajax({
type: 'post',
url: rootUrl+'/feedback/sendEmail',
success: function() {}
});
}
$(document).ready(function() {
$('#send-feedback').click(function() {
var content = $('#feedback-content').val().trim();
if (content == '') {
noticeWarning('反馈不能为空');
return;
}
var data = {
content: content
};
$.ajax({
type: 'post',
url: rootUrl+'/feedback',
data: data,
success: function(status) {
if (status > 0) {
sendEmail();
noticeInfo('反馈成功');
$('#modal-feedback').modal('hide');
} else if (status == 0) {
$.toaster({ title : '还没登录喔~', priority : 'danger', message : '(' });
} else {
$.toaster({ title : '出错啦,请稍候再试~', priority : 'danger', message : '(' });
}
}
});
});
});
http://10.1.20.137:8085/js/footer.js
/**
* Created by soujing on 12/27/15.
*/
$(document).ready(function() {
$.get(
rootUrl + "/Index/checkLogin",
{},
function(data){
if(data){
loginNav();
}
else{
$(".logout").parent().remove();
}
}
)
})
function loginNav(){
$.get(
rootUrl + "/User/getLoginInit",
{},
function(data){
var mesNum = data['mes_num'];
var userName = data['name'];
var userIcon = data['icon'];
var isRead = data['read'];
if(mesNum != 0){
var mesSpan = ' <span class="badge"> '+ mesNum + '</span>';
$("#nav-messages").append(mesSpan);
}
if(!isRead){
var redPoint = '<div class="red-point"></div>';
$("#nav-notice").children("a").append(redPoint);
$("#xs-nav-notice").children("a").append(redPoint);
}
}
)
}
http://10.1.20.137:8085/js/header.js
/*!
* Bootstrap v3.3.5 (http://getbootstrap.com)
* Copyright 2011-2015 Twitter, Inc.
* Licensed under the MIT license
*/
if("undefined"==typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery");+function(a){"use strict";var b=a.fn.jquery.split(" ")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1)throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher")}(jQuery),+function(a){"use strict";function b(){var a=document.createElement("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var c in b)if(void 0!==a.style[c])return{end:b[c]};return!1}a.fn.emulateTransitionEnd=function(b){var c=!1,d=this;a(this).one("bsTransitionEnd",function(){c=!0});var e=function(){c||a(d).trigger(a.support.transition.end)};return setTimeout(e,b),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.special.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.support.transition.end,handle:function(b){return a(b.target).is(this)?b.handleObj.handler.apply(this,arguments):void 0}})})}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var c=a(this),e=c.data("bs.alert");e||c.data("bs.alert",e=new d(this)),"string"==typeof b&&e[b].call(c)})}var c='[data-dismiss="alert"]',d=function(b){a(b).on("click",c,this.close)};d.VERSION="3.3.5",d.TRANSITION_DURATION=150,d.prototype.close=function(b){function c(){g.detach().trigger("closed.bs.alert").remove()}var e=a(this),f=e.attr("data-target");f||(f=e.attr("href"),f=f&&f.replace(/.*(?=#[^\s]*$)/,""));var g=a(f);b&&b.preventDefault(),g.length||(g=e.closest(".alert")),g.trigger(b=a.Event("close.bs.alert")),b.isDefaultPrevented()||(g.removeClass("in"),a.support.transition&&g.hasClass("fade")?g.one("bsTransitionEnd",c).emulateTransitionEnd(d.TRANSITION_DURATION):c())};var e=a.fn.alert;a.fn.alert=b,a.fn.alert.Constructor=d,a.fn.alert.noConflict=function(){return a.fn.alert=e,this},a(document).on("click.bs.alert.data-api",c,d.prototype.close)}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.button"),f="object"==typeof b&&b;e||d.data("bs.button",e=new c(this,f)),"toggle"==b?e.toggle():b&&e.setState(b)})}var c=function(b,d){this.$element=a(b),this.options=a.extend({},c.DEFAULTS,d),this.isLoading=!1};c.VERSION="3.3.5",c.DEFAULTS={loadingText:"loading..."},c.prototype.setState=function(b){var c="disabled",d=this.$element,e=d.is("input")?"val":"html",f=d.data();b+="Text",null==f.resetText&&d.data("resetText",d[e]()),setTimeout(a.proxy(function(){d[e](null==f[b]?this.options[b]:f[b]),"loadingText"==b?(this.isLoading=!0,d.addClass(c).attr(c,c)):this.isLoading&&(this.isLoading=!1,d.removeClass(c).removeAttr(c))},this),0)},c.prototype.toggle=function(){var a=!0,b=this.$element.closest('[data-toggle="buttons"]');if(b.length){var c=this.$element.find("input");"radio"==c.prop("type")?(c.prop("checked")&&(a=!1),b.find(".active").removeClass("active"),this.$element.addClass("active")):"checkbox"==c.prop("type")&&(c.prop("checked")!==this.$element.hasClass("active")&&(a=!1),this.$element.toggleClass("active")),c.prop("checked",this.$element.hasClass("active")),a&&c.trigger("change")}else this.$element.attr("aria-pressed",!this.$element.hasClass("active")),this.$element.toggleClass("active")};var d=a.fn.button;a.fn.button=b,a.fn.button.Constructor=c,a.fn.button.noConflict=function(){return a.fn.button=d,this},a(document).on("click.bs.button.data-api",'[data-toggle^="button"]',function(c){var d=a(c.target);d.hasClass("btn")||(d=d.closest(".btn")),b.call(d,"toggle"),a(c.target).is('input[type="radio"]')||a(c.target).is('input[type="checkbox"]')||c.preventDefault()}).on("focus.bs.button.data-api blur.bs.button.data-api",'[data-toggle^="button"]',function(b){a(b.target).closest(".btn").toggleClass("focus",/^focus(in)?$/.test(b.type))})}(jQuery),+function(a){"use strict";function b(b){return this.each(function(){var d=a(this),e=d.data("bs.carousel"),f=a.extend({},c.DEFAULTS,d.data(),"object"==typeof b&&b),g="string"==typeof b?b:f.slide;e||d.data("bs.carousel",e=new c(this,f)),"number"==typeof b?e.to(b):g?e[g]():f.interval&&e.pause().cycle()})}var c=function(b,c){this.$element=a(b),this.$indicators=this.$element.find(".carousel-indicators"),this.options=c,this.paused=null,this.sliding=null,this.interval=null,this.$active=null,this.$items=null,this.options.keyboard&&this.$element.on("keydown.bs.carousel",a.proxy(this.keydown,this)),"hover"==this.options.pause&&!("ontouchstart"in document.documentElement)&&this.$element.on("mouseenter.bs.carousel",a.proxy(this.pause,this)).on("mouseleave.bs.carousel",a.proxy(this.cycle,this))};c.VERSION="3.3.5",c.TRANSITION_DURATION=600,c.DEFAULTS={interval:5e3,pause:"hover",wrap:!0,keyboard:!0},c.prototype.keydown=function(a){if(!/input|textarea/i.test(a.target.tagName)){switch(a.which){case 37:this.prev();break;case 39:thi...
http://10.1.20.137:8085/js/bootstrap.min.js
/***********************************************************************************
* Add Array.indexOf                                                                *
***********************************************************************************/
(function ()
{
if (typeof Array.prototype.indexOf !== 'function')
{
Array.prototype.indexOf = function(searchElement, fromIndex)
{
for (var i = (fromIndex || 0), j = this.length; i < j; i += 1)
{
if ((searchElement === undefined) || (searchElement === null))
{
if (this[i] === searchElement)
{
return i;
}
}
else if (this[i] === searchElement)
{
return i;
}
}
return -1;
};
}
})();
/**********************************************************************************/
(function ($,undefined)
{
var toasting =
{
gettoaster : function ()
{
var toaster = $('#' + settings.toaster.id);
if(toaster.length < 1)
{
toaster = $(settings.toaster.template).attr('id', settings.toaster.id).css(settings.toaster.css).addClass(settings.toaster['class']);
if ((settings.stylesheet) && (!$("link[href=" + settings.stylesheet + "]").length))
{
$('head').appendTo('<link rel="stylesheet" href="' + settings.stylesheet + '">');
}
$(settings.toaster.container).append(toaster);
}
return toaster;
},
notify : function (title, message, priority)
{
var $toaster = this.gettoaster();
var $toast  = $(settings.toast.template.replace('%priority%', priority)).hide().css(settings.toast.css).addClass(settings.toast['class']);
$('.title', $toast).css(settings.toast.csst).html(title);
$('.message', $toast).css(settings.toast.cssm).html(message);
if ((settings.debug) && (window.console))
{
console.log(toast);
}
$toaster.append(settings.toast.display($toast));
if (settings.donotdismiss.indexOf(priority) === -1)
{
var timeout = (typeof settings.timeout === 'number') ? settings.timeout : ((typeof settings.timeout === 'object') && (priority in settings.timeout)) ? settings.timeout[priority] : 1500;
setTimeout(function()
{
settings.toast.remove($toast, function()
{
$toast.remove();
});
}, timeout);
}
}
};
var defaults =
{
'toaster'         :
{
'id'        : 'toaster',
'container' : 'body',
'template'  : '<div></div>',
'class'     : 'toaster',
'css'       :
{
'position' : 'fixed',
'top'      : '10px',
'right'    : '10px',
'width'    : '300px',
'zIndex'   : 50000
}
},
'toast'       :
{
'template' :
'<div class="alert alert-%priority% alert-dismissible" role="alert">' +
'<button type="button" class="close" data-dismiss="alert">' +
'<span aria-hidden="true">&times;</span>' +
'<span class="sr-only">Close</span>' +
'</button>' +
'<span class="title"></span>: <span class="message"></span>' +
'</div>',
'css'      : {},
'cssm'     : {},
'csst'     : { 'fontWeight' : 'bold' },
'fade'     : 'slow',
'display'    : function ($toast)
{
return $toast.fadeIn(settings.toast.fade);
},
'remove'     : function ($toast, callback)
{
return $toast.animate(
{
opacity : '0',
padding : '0px',
margin  : '0px',
height  : '0px'
},
{
duration : settings.toast.fade,
complete : callback
}
);
}
},
'debug'        : false,
'timeout'      : 1500,
'stylesheet'   : null,
'donotdismiss' : []
};
var settings = {};
$.extend(settings, defaults);
$.toaster = function (options)
{
if (typeof options === 'object')
{
if ('settings' in options)
{
settings = $.extend(settings, options.settings);
}
var title    = ('title' in option...
http://10.1.20.137:8085/js/jquery.toaster.js
$(document).ready(function(){
////var score = $(".score span").text();
////alert(score);
//
var numOfScore = $(".score").length;
var sixEm = '<img src="' + rootUrl + '/Public/img/starEm.png"/> \n';
for(var i=0; i<numOfScore; i++){
var score = $(".score").eq(i).children("span").text();
var s = parseInt(Number(score) + 0.5);
var deleteS = 5 - s;
for(var j=deleteS-1; j>=0; j--){
$(".score").eq(i).children("img").eq(j).remove();
$(".score").eq(i).children("span").before(sixEm);
}
}
/*$('.login').click(function() {
var email = $('#login-email').val();
var password = $('#login-password').val();
var remember = $('#login-remember').is(':checked') ? true : false;
var checkEmail= /^([a-zA-Z0-9_-])+@([a-zA-Z0-9_-])+(.[a-zA-Z0-9_-])+/;
if (!checkEmail.test(email)) {
var text = "邮箱格式错误,请重新输入";
$('#login-info').show();
$('#login-info').html(text);
$('#login-email').focus();
return;
}
$.ajax({
type: 'post',
url: 'login',
dataType: 'json',
data: 'email=' + email + '&password=' + password + '&remember=' + remember,
success: function(json) {
switch (json.status) {
case 0: // 登录成功
var text = "登录成功";
$.toaster({ title : text, priority : 'success', message : '' });
$('.log-or-sign').hide();
setTimeout(function() {
window.location.reload()
},1200);
break;
case 1: // 密码错误
var text = "密码错误,请重新输入";
$('#login-info').show();
$('#login-info').html(text);
$('#login-password').focus();
break;
case 2: // 用户不存在
var text = "用户不存在,请重新输入或注册新用户";
$('#login-info').show();
$('#login-info').html(text);
$('#login-email').focus();
break
case 3: // 邮箱未验证
var text = "邮箱未验证,请验证邮箱后登录";
$('#login-info').show();
$('#login-info').html(text);
$('#login-email').focus();
break;
}
}
});
});
function sendEmail() {
$.ajax({
type: 'post',
url: 'register/sendEmail',
dataType: 'json',
data: '',
success: function(json) {
//$.toaster({ title : 'Hey, there. ', priority : 'success', message : ')' });
}
});
}
$('.register').click(function() {
var email = $('#register-email').val();
var password = $('#register-password').val();
var checkEmail= /^([a-zA-Z0-9_-])+@([a-zA-Z0-9_-])+(.[a-zA-Z0-9_-])+/;
if (!checkEmail.test(email)) {
var text = "邮箱格式错误,请重新输入";
$('#register-info').show();
$('#register-info').html(text);
$('#register-email').focus();
return;
}
if (password.length < 6) {
var text = "密码需要至少为6位";
$('#register-info').show();
$('#register-info').html(text);
$('#register-password').focus();
return;
}
$.ajax({
type: 'post',
url: 'register',
dataType: 'json',
data: 'email=' + email + '&password=' + password,
success: function(json) {
switch (json.status) {
case 0: // 注册成功
sendEmail();
var text = "注册成功,请验证邮箱后登录";
$('#login-info').show();
$('#login-info').html(text);
//$('.log-or-sign').hide();
$('#tab-sl a[href="#login"]').tab('show');
$('#login-email').val(email);
$('#register-email').val();
$('#register-password').val();
$('#login-password').focus();
break;
case 1: // 用户已存在
var text = "用户已存在,请重新输入或登录已有用户";
$('#register-info').show();
$('#register-info').html(text);
$('#register-email').focus();
break;
case 2: // 内部错误
var text = "发生内部错误,请稍后尝试";
$.toaster({ title : text, priority : 'danger', message : '' });
break;
}
}
});
})...
http://10.1.20.137:8085/js/index.js
$(function(){
$("#but1").click(function(){//点击
confirm("暂未登录,是否登录?");
});
$("#but2").click(function(){//点击
confirm("暂未开户,是否进行开户?");
});
})
http://10.1.20.137:8085/tomain
/*!
* jQuery JavaScript Library v2.1.4
* http://jquery.com/
*
* Includes Sizzle.js
* http://sizzlejs.com/
*
* Copyright 2005, 2014 jQuery Foundation, Inc. and other contributors
* Released under the MIT license
* http://jquery.org/license
*
* Date: 2015-04-28T16:01Z
*/
(function( global, factory ) {
if ( typeof module === "object" && typeof module.exports === "object" ) {
// For CommonJS and CommonJS-like environments where a proper `window`
// is present, execute the factory and get jQuery.
// For environments that do not have a `window` with a `document`
// (such as Node.js), expose a factory as module.exports.
// This accentuates the need for the creation of a real `window`.
// e.g. var jQuery = require("jquery")(window);
// See ticket #14549 for more info.
module.exports = global.document ?
factory( global, true ) :
function( w ) {
if ( !w.document ) {
throw new Error( "jQuery requires a window with a document" );
}
return factory( w );
};
} else {
factory( global );
}
// Pass this if window is not defined yet
}(typeof window !== "undefined" ? window : this, function( window, noGlobal ) {
// Support: Firefox 18+
// Can't be in strict mode, several libs including ASP.NET trace
// the stack via arguments.caller.callee and Firefox dies if
// you try to trace through "use strict" call chains. (#13335)
//
var arr = [];
var slice = arr.slice;
var concat = arr.concat;
var push = arr.push;
var indexOf = arr.indexOf;
var class2type = {};
var toString = class2type.toString;
var hasOwn = class2type.hasOwnProperty;
var support = {};
var
// Use the correct document accordingly with window argument (sandbox)
document = window.document,
version = "2.1.4",
// Define a local copy of jQuery
jQuery = function( selector, context ) {
// The jQuery object is actually just the init constructor 'enhanced'
// Need init if jQuery is called (just allow error to be thrown if not included)
return new jQuery.fn.init( selector, context );
},
// Support: Android<4.1
// Make sure we trim BOM and NBSP
rtrim = /^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,
// Matches dashed string for camelizing
rmsPrefix = /^-ms-/,
rdashAlpha = /-([\da-z])/gi,
// Used by jQuery.camelCase as callback to replace()
fcamelCase = function( all, letter ) {
return letter.toUpperCase();
};
jQuery.fn = jQuery.prototype = {
// The current version of jQuery being used
jquery: version,
constructor: jQuery,
// Start with an empty selector
selector: "",
// The default length of a jQuery object is 0
length: 0,
toArray: function() {
return slice.call( this );
},
// Get the Nth element in the matched element set OR
// Get the whole matched element set as a clean array
get: function( num ) {
return num != null ?
// Return just the one element from the set
( num < 0 ? this[ num + this.length ] : this[ num ] ) :
// Return all the elements in a clean array
slice.call( this );
},
// Take an array of elements and push it onto the stack
// (returning the new matched element set)
pushStack: function( elems ) {
// Build a new jQuery matched element set
var ret = jQuery.merge( this.constructor(), elems );
// Add the old object onto the stack (as a reference)
ret.prevObject = this;
ret.context = this.context;
// Return the newly-formed element set
return ret;
},
// Execute a callback for every element in the matched set.
// (You can seed the arguments with an array of args, but this is
// only used internally.)
each: function( callback, args ) {
return jQuery.each( this, callback, args );
},
map: function( callback ) {
return this.pushStack( jQuery.map(this, function( elem, i ) {
return callback.call( elem, i, elem );
}));
},
slice: function() {
return this.pushStack( slice.apply( this, arguments ) );
},
first: function() {
return this.eq( 0 );
},
last: function() {
return this.eq( -1 );
},
eq: function( i ) {
var len = this.length,
j = +i + ( i < 0 ? len : 0 );
return this.pushStack( j >= 0 && j < len ? [ this[j] ] : [] );
},
end: function() {
return this.prevObject || this.constructor(null);
},
// For internal use only.
// Behaves like an Array's method, not like a jQuery method.
push: push,
sort: arr.sort,
splice: arr.splice
};
jQuery.extend = jQuery.fn.extend = function() {
var options, name, src, copy, copyIsArray, clone,
target = arguments[0] || {},
i = 1,
length = arguments.length,
deep = false;
// Handle a deep copy situation
if ( typeof target === "boolean" ) {
deep = target;
// Skip the boolean and the target
target = arguments[ i ] || {};
i++;
}
// Handle case when target is a string or something (possible in deep copy)
if ( typeof target !== "object" ...
http://10.1.20.137:8085/js/jquery-2.1.4/jquery.js
http://10.1.20.137:8085/Index/checkLogin
http://10.1.20.137:8085/feedback
注释
注释
URL
Tab panes
http://10.1.20.137:8085/tologin
Tab Log in
http://10.1.20.137:8085/tologin
Tab Register
http://10.1.20.137:8085/tologin
Modal Feedback
http://10.1.20.137:8085/tologin
Modal Feedback End
http://10.1.20.137:8085/tologin
通过后台跳转页面
http://10.1.20.137:8085/tomain
BEGIN NEW COURSES
http://10.1.20.137:8085/tomain
Indicators
http://10.1.20.137:8085/tomain
<li data-target="#carousel-example-generic" data-slide-to="2"></li>
http://10.1.20.137:8085/tomain
Wrapper for slides
http://10.1.20.137:8085/tomain
<a href="#">###</a>
<a href="#">###</a>
http://10.1.20.137:8085/tomain
cookie
名称
URL
应用程序 URL
§  http://10.1.20.137:8085/tologin
§  http://10.1.20.137:8085/js/html5shiv.min.js
§  http://10.1.20.137:8085/js/respond.min.js
§  http://10.1.20.137:8085/js/jquery.min.js
§  http://10.1.20.137:8085/js/footer.js
§  http://10.1.20.137:8085/js/header.js
§  http://10.1.20.137:8085/js/bootstrap.min.js
§  http://10.1.20.137:8085/js/jquery.toaster.js
§  http://10.1.20.137:8085/js/index.js
§  http://10.1.20.137:8085/tomain
§  http://10.1.20.137:8085/js/jquery-2.1.4/jquery.js
本站仅提供存储服务,所有内容均由用户发布,如发现有害或侵权内容,请点击举报
打开APP,阅读全文并永久保存 查看更多类似文章
猜你喜欢
类似文章
【热】打开小程序,算一算2024你的财运
WordPress中使用Javascript
JS获取新浪天气
前两天有 V 友问一个加密的 JS 怎么解密,于是今天脱壳?解密的脚本出来了。
动态加载JS脚本的4种方法(修改版)
thinkphp3.2.1入门之--简单案例实现
JS代码实现php分页示例和分析
更多类似文章 >>
生活服务
热点新闻
分享 收藏 导长图 关注 下载文章
绑定账号成功
后续可登录账号畅享VIP特权!
如果VIP功能使用有故障,
可点击这里联系客服!

联系客服