检测到目标站点存在javascript框架库漏洞

img

接收的这个老项目检测出了框架库漏洞,我把jq升级到3.6.0还是有这个漏洞,项目中也没有引入js-cookie
但有操作cookie,是这也不是库啊,让我很难受,请指点

var cookie = {};
cookie.install = function (Vue,options) {
  Vue.prototype.$setCookie = function (c_name,value,expire) {
    document.cookie=c_name.trim() + "=" + escape(value)+";path=/;";
  };
  Vue.prototype.$getCookie = function (c_name) {
    if (document.cookie.length>0){
      let cookieData = document.cookie;
      if(cookieData){
        let arr = cookieData.split(';');
        for(let i=0;i<arr.length;i++){
          let valArr = arr[i].split('=');
          if(valArr[0].trim() == c_name.trim() && valArr[1]){
            return valArr[1];
          }
        }
      }
    }
  };
  Vue.prototype.$delCookie = function (c_name) {
    //关闭浏览器即时清空cookie
    document.cookie = c_name+"=;expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/;"
  }
}
module.exports = cookie;

package.json目录

  "dependencies": {
    "ajv": "^6.5.2",
    "axios": "^0.24.0",
    "babel-polyfill": "^6.26.0",
    "echarts": "^4.2.1",
    "element-ui": "^2.7.0",
    "es6-promise": "^4.2.6",
    "fastclick": "^1.0.6",
    "js-md5": "^0.7.3",
    "less": "^3.0.4",
    "less-loader": "^4.1.0",
    "peer": "^0.6.1",
    "serialize-javascript": "^6.0.0",
    "vue": "^2.6.10",
    "vue-router": "^3.0.1",
    "vuex": "^3.1.1"
  },
  "devDependencies": {
    "autoprefixer": "^7.1.2",
    "babel-core": "^6.22.1",
    "babel-helper-vue-jsx-merge-props": "^2.0.3",
    "babel-loader": "^7.1.1",
    "babel-plugin-syntax-jsx": "^6.18.0",
    "babel-plugin-transform-runtime": "^6.22.0",
    "babel-plugin-transform-vue-jsx": "^3.5.0",
    "babel-preset-env": "^1.3.2",
    "babel-preset-stage-2": "^6.22.0",
    "chalk": "^2.0.1",
    "copy-webpack-plugin": "^4.0.1",
    "css-loader": "^0.28.0",
    "extract-text-webpack-plugin": "^3.0.0",
    "file-loader": "^1.1.4",
    "friendly-errors-webpack-plugin": "^1.6.1",
    "html-webpack-plugin": "^2.30.1",
    "jquery": "^3.6.0",
    "moment": "^2.24.0",
    "node-notifier": "^5.1.2",
    "node-sass": "^6.0.1",
    "optimize-css-assets-webpack-plugin": "^3.2.0",
    "ora": "^1.2.0",
    "portfinder": "^1.0.13",
    "postcss-import": "^11.0.0",
    "postcss-loader": "^2.0.8",
    "postcss-url": "^7.2.1",
    "rimraf": "^2.6.0",
    "sass-loader": "^7.0.3",
    "semver": "^5.7.0",
    "shelljs": "^0.7.6",
    "uglifyjs-webpack-plugin": "^1.1.1",
    "url-loader": "^0.5.8",
    "vue-loader": "^13.3.0",
    "vue-style-loader": "^3.0.1",
    "vue-template-compiler": "^2.6.10",
    "webpack": "^3.6.0",
    "webpack-bundle-analyzer": "^2.9.0",
    "webpack-dev-server": "^2.11.5",
    "webpack-merge": "^4.1.0"
  },

main.js

// The Vue build version to load with the `import` command
// (runtime-only or standalone) has been set in webpack.base.conf with an alias.
import 'babel-polyfill'
import Es6Promise from 'es6-promise'
require('es6-promise').polyfill()
Es6Promise.polyfill()


import Vue from 'vue'
import App from './App' 
import jqueryMin from '../static/js/jquery.min'
import keyboard from '../static/js/jquery.keyboard'
import store from './store/index'
import cookie from './sense/cookie.js'
import axios from './sense/axios'
import {whandww} from './sense/frame'
import plugin from './sense/plugin'
import requestUrl from './sense/request'
import moment from 'moment'
import FastClick from 'fastclick'
import $ from 'jquery'
import echarts from 'echarts'
import ElementUI from 'element-ui'
import 'element-ui/lib/theme-chalk/index.css'
import api from './config/api'
import router from './router'

Vue.config.productionTip = false
if ('addEventListener' in document) {
    document.addEventListener('DOMContentLoaded', function() {
        FastClick.attach(document.body);
    }, false);
}


Vue.config.debug = true;
axios.defaults.withCredentials=false;
Vue.prototype.whandww = whandww;
Vue.prototype.moment = moment;
Vue.prototype.$ajax = axios;

Vue.use(jqueryMin);
Vue.use(keyboard);
Vue.use(requestUrl);
Vue.use(plugin);
Vue.use(cookie);
Vue.use(api);
Vue.use(ElementUI);
/* eslint-disable no-new */
new Vue({
  el: '#app',
  router,
  store,
  components: { App },
  template: '<App/>'
});

这也没有说明是什么库有漏洞。这种检测也不一定准确。

你把vue升级到2.6.14

这些检测不一定准的,其实这些检测,代码里包含了检测所设定的关键词就认为你是有漏洞了

一般漏洞是区分等级的,比如:高危、紧急、一般、低危,除了高危、紧急的必须改,其他的就是无所谓了,
正常如果找不到漏洞,你就可以从屏蔽漏洞的角度去解决,他漏洞都是扫描出来的,
你把网站的js都配置一个token,只有你指定的token可以带参数访问js,否则不给他访问就可以了

屏蔽漏洞

采用隐藏版本号方式,把这个图片jquery版本号改成0.0.0和8.8.8分别试一下。如有帮助,请采纳。
我们一般都这样处理漏洞的

img

看图就知道是绿盟的报告,
改js名字就可以解决的

你的npm 包 serialize-javascript使用 eval 函数存在漏洞 替换掉它应该没有问题

https://cn.bing.com/search?q=serialize-javascript+%E6%BC%8F%E6%B4%9E&PC=U316&FORM=CHROMN

漏洞修复:javascript框架库漏洞
https://blog.csdn.net/iceliooo/article/details/102856590