1.XSS注入
web.xml 加入下面过滤器, 加入sql filter
<filter>
<filter-name>SqlFilter</filter-name>
<filter-class>com.liveneo.msplatform.common.filter.SqlFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SqlFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

2. HTML表单未进行CSRF防护
3.表单CSRF防护缺失
https://blog.csdn.net/u010981786/article/details/51012782

4.点击劫持:无X-Frame-Options头信息
https://blog.csdn.net/ylf20131001/article/details/88550243
tomcat web.xml 添加下面过滤器
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value> SAMEORIGIN</param-value>
</init-param>

<async-supported>true</async-supported>
</filter>

<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>

5.登录页面密码猜解
推荐当某账户尝试数次错误密码后，则将账户锁定。

6.脆弱的Javascript库
升级JavaScript库到最新版本。

7.发现应用程序错误信息
删除或升级插件版本