漏洞描述
黑客在input或者url上输入非法字符,如<ScRiPt>confirm(4890)<cRiPt>
,则在网页上弹出确认窗口,相关的脚本被非法执行了。
修复方法
给程序做一个拦截器,拦截请求,转换一些特殊符号,应用中一般不会有这些特殊符号,如果有这些特殊符号,则按规则还原。
具体操作
- 编写一个过滤器处理转义字符
public class XssFilter implements Filter {
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
//chain.doFilter(request, response);//放行
chain.doFilter(new XssHttpServletRequestWrapperNew(
(HttpServletRequest) request), response);
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
}
public class XssHttpServletRequestWraper extends HttpServletRequestWrapper {
public XssHttpServletRequestWraper(HttpServletRequest request) {
super(request);
}
@Override
public String getParameter(String name) {
return clearXss(super.getParameter(name));
}
@Override
public String getHeader(String name) {
return clearXss(super.getHeader(name));
}
@Override
public String[] getParameterValues(String name) {
// 处理路径中的转义字符
String[] values = super.getParameterValues(name);
String[] newValues = new String[values.length];
for (int i = 0; i < values.length; i++) {
newValues[i] = clearXss(values[i]);
}
return newValues;
}
// 清除路径中的转义字符
public String clearXss(String value) {
if (value == null || "".equals(value)) {
return value;
}
value = value.replaceAll("<", "<").replaceAll(">", ">");
value = value.replaceAll("\\(", "(").replace("\\)", ")");
value = value.replaceAll("'", "'");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']",
"\"\"");
value = value.replace("script", "");
return value;
}
}
- 在web.xml中注册该过滤器
<filter>
<filter-name>XssFilter</filter-name>
<filter-class>com.fangle.filter.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
网友评论