美文网首页
06_JavaWeb项目防止xss漏洞攻击解决办法

06_JavaWeb项目防止xss漏洞攻击解决办法

作者: 明天你好向前奔跑 | 来源:发表于2018-02-25 13:40 被阅读0次

@Author Jacky Wang,转载请注明出处https://www.jianshu.com/p/8c11901a9778

步骤:

  1. pom添加maven依赖
  2. 自定义过滤器Filter拦截请求,并对请求参数进行xss过滤处理

具体实现如下:

1. pom添加依赖
<dependency>
    <groupId>org.apache.tomcat</groupId>
    <artifactId>tomcat-servlet-api</artifactId>
    <version>8.0.36</version>
    <scope>provided</scope>
</dependency>
<!-- https://mvnrepository.com/artifact/javax.servlet/servlet-api -->
<dependency>
    <groupId>javax.servlet</groupId>
    <artifactId>servlet-api</artifactId>
    <version>2.5</version>
    <scope>provided</scope>
</dependency> 

2. 自定义过滤器Filter,并对请求Request进行xss过滤处理

@SpringBootConfiguration
@WebFilter(filterName = "XssFilter",urlPatterns = {"/*"})
public class XssFilter implements Filter {

    /**无需进行xss过滤的uri地址*/
    private static final Set<String> ALLOWED_PATHS = Collections.unmodifiableSet(new HashSet<>(Arrays.asList("/pay/wxNotify","/pay/alNotify","/pay/gateway")));
    
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        // TODO Auto-generated method stub
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)
            throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest)req;
        HttpServletResponse response = (HttpServletResponse)resp;
        String path = request.getRequestURI().substring(request.getContextPath().length()).replaceAll("[/]+$", "");
        
        boolean allowedPath = ALLOWED_PATHS.contains(path);
        
        if(allowedPath) {
            chain.doFilter(request, response);
        }else {
            chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response);
        }
    }

    @Override
    public void destroy() {
        // TODO Auto-generated method stub
    }
}

-------------------------------------------------------------------------------------------------

XSSRequestWrapper是Request的包装类,用于修改Request请求,这是拦截器Interceptor所不能做到的:

    public class XSSRequestWrapper extends HttpServletRequestWrapper {
    
        public XSSRequestWrapper(HttpServletRequest request) {
            super(request);
        }
    
        /**
         * 对数组参数进行特殊字符过滤
         */
        @Override
        public String[] getParameterValues(String name) {
            String[] values = super.getParameterValues(name);
            if (values == null) {
                return null;
            }
            int count = values.length;
            String[] encodedValues = new String[count];
            for (int i = 0; i < count; i++) {
                encodedValues[i] = clearXss(values[i]);
            }
            return encodedValues;
        }
    
        /**
         * 对参数中特殊字符进行过滤
         */
        @Override
        public String getParameter(String name) {
            String value = super.getParameter(name);
            if (value == null) {
                return null;
            }
            return clearXss(value);
        }
    
        /**
         * 获取attribute,特殊字符过滤
         */
        @Override
        public Object getAttribute(String name) {
            Object value = super.getAttribute(name);
            if (value != null && value instanceof String) {
                clearXss((String) value);
            }
            return value;
        }
    
        /**
         * 对请求头部进行特殊字符过滤
         */
        @Override
        public String getHeader(String name) {
            String value = super.getHeader(name);
            if (value == null) {
                return null;
            }
            return clearXss(value);
        }
    
        /**   
         * @Title: clearXss   
         * @Description: TODO(xss攻击处理)   
         * @param: @param value
         * @param: @return      
         * @return: String      
         * @throws   
         */ 
        private String clearXss(String value) {
            if (StringUtils.isEmpty(value)) {
                return value;
            }
            try {
                value = new String(value.getBytes("ISO8859-1"), "UTF-8");
            } catch (UnsupportedEncodingException e) {
                e.printStackTrace();
            }
    
            return XssFilterUtil.stripXss(value);
        }
    }

---------------------------------------------------------------------------------------------

public class XssFilterUtil {
    private static List<Pattern> patterns = null;

    /*private static List<Object[]> getXssPatternList() {
        List<Object[]> ret = new ArrayList<Object[]>();

        ret.add(new Object[]{"<(no)?script[^>]*>.*?</(no)?script>", Pattern.CASE_INSENSITIVE});
        ret.add(new Object[]{"eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});
        ret.add(new Object[]{"expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});
        ret.add(new Object[]{"(javascript:|vbscript:|view-source:)*", Pattern.CASE_INSENSITIVE});
        ret.add(new Object[]{"<(\"[^\"]*\"|\'[^\']*\'|[^\'\">])*>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});
        ret.add(new Object[]{"(window\\.location|window\\.|\\.location|document\\.cookie|document\\.|alert\\(.*?\\)|window\\.open\\()*", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});
        ret.add(new Object[]{"<+\\s*\\w*\\s*(oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror=|onerroupdate|onfilterchange|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmousout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onabort|onactivate|onafterprint|onafterupdate|onbefore|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload)+\\s*=+", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});
        return ret;
    }*/
    
    private static List<Object[]> getXssPatternList() {
        List<Object[]> ret = new ArrayList<Object[]>();
        
        ret.add(new Object[]{"<(no)?script[^>]*>.*?</(no)?script>", Pattern.CASE_INSENSITIVE});
        ret.add(new Object[]{"</script>", Pattern.CASE_INSENSITIVE});
        ret.add(new Object[]{"<script(.*?)>",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});
        ret.add(new Object[]{"eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});
        ret.add(new Object[]{"expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});
        ret.add(new Object[]{"(javascript:|vbscript:|view-source:)*", Pattern.CASE_INSENSITIVE});
        ret.add(new Object[]{"<(\"[^\"]*\"|\'[^\']*\'|[^\'\">])*>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});
        ret.add(new Object[]{"(window\\.location|window\\.|\\.location|document\\.cookie|document\\.|alert\\(.*?\\)|window\\.open\\()*", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});
        ret.add(new Object[]{"<+\\s*\\w*\\s*(oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror=|onerroupdate|onfilterchange|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmousout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onabort|onactivate|onafterprint|onafterupdate|onbefore|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload)+\\s*=+", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});
        return ret;
    }

    private static List<Pattern> getPatterns() {

        if (patterns == null) {

            List<Pattern> list = new ArrayList<Pattern>();

            String regex = null;
            Integer flag = null;
            int arrLength = 0;

            for(Object[] arr : getXssPatternList()) {
                arrLength = arr.length;
                for(int i = 0; i < arrLength; i++) {
                    regex = (String)arr[0];
                    flag = (Integer)arr[1];
                    list.add(Pattern.compile(regex, flag));
                }
            }

            patterns = list;
        }

        return patterns;
    }

    public static String stripXss(String value) {
        if(StringUtils.isNotBlank(value)) {

            Matcher matcher = null;

            for(Pattern pattern : getPatterns()) {
                matcher = pattern.matcher(value);
                // 匹配
                if(matcher.find()) {
                    // 删除相关字符串
                    value = matcher.replaceAll("");
                }
            }

            //value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
            //删除特殊符号
            String specialStr = "%20|=|!=|-|--|;|'|\"|%|#|+|//|/| |\\|<|>|(|)|{|}";
            for (String str : specialStr.split("\\|")) {
                if(value.indexOf(str) > -1) {
                    value = value.replaceAll(str, "");
                }
            }
        }
//      if (LOG.isDebugEnabled())
//          LOG.debug("strip value: " + value);
        System.err.println(value);
        return value;
    }
}

相关文章

  • 06_JavaWeb项目防止xss漏洞攻击解决办法

    @Author Jacky Wang,转载请注明出处https://www.jianshu.com/p/8c119...

  • 常见的WEB攻击

    XSS攻击,CSRF攻击,SQL注入攻击,文件上传漏洞,DDoS攻击,其他攻击手段 1.XSS攻击 XSS(Cro...

  • XSS

    XSS: 被攻击网站存在XSS漏洞,攻击者通过构造URL(DOM Based XSS)或者将攻击脚本存储在被攻击网...

  • 9.2 XSS攻击

    XSS攻击 XSS(Cross Site Script)攻击又叫做跨站脚本攻击。他的原理是用户在使用具有XSS漏洞...

  • 最浅显易懂的Django系列教程(42)-XSS攻击

    XSS攻击 XSS(Cross Site Script)攻击又叫做跨站脚本攻击。他的原理是用户在使用具有XSS漏洞...

  • web安全

    XSS攻击 XSS攻击,跨站脚本攻击,这是在网站中最容易产生的攻击。原理是攻击者向存在XSS漏洞的网站输入一段攻击...

  • 安全问题

    XSS(跨站点脚本攻击)漏洞 攻击原理  攻击者向有xss漏洞的网站中传入恶意的html代码,其他用户浏览该网站时...

  • PHP预防XSS攻击

    预防XSS攻击 从根本上说,解决办法是消除网站的XSS漏洞,这就需要网站开发者运用转义安全字符等手段,始终把安全放...

  • 每一个工程师都要学的安全测试,老板再也不用担心服务器被黑

    本文由云+社区发表 本篇包含了XSS漏洞攻击及防御详细介绍,包括漏洞基础、XSS基础、编码基础、XSS Paylo...

  • 前端面试题目整理

    XSS xss(cross siteScript)全称跨站脚本攻击,其原理是攻击者向有XSS漏洞的网站输入恶意ht...

网友评论

      本文标题:06_JavaWeb项目防止xss漏洞攻击解决办法

      本文链接:https://www.haomeiwen.com/subject/lqrrxftx.html

      延伸阅读

      深度阅读

      • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

      栏目导航

      热点阅读

      关于我们|服务条款|联系我们|06_JavaWeb项目防止xss漏洞攻击解决办法|投稿指南|网站地图|RSS订阅|排版工具|手机版

      提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

      Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

      备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

      本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

      所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!