ESAPI——预防XSS攻击工具使用简介
2017-11-07 14:01
344 查看
XSS:跨站脚本攻击。原理是攻击者向有XSS漏洞的网站中输入恶意的HTML代码,当其它用户浏览该网站时,这段HTML代码会自动执行,从而达到攻击的目的。如,盗取用户Cookie、破坏页面结构、重定向到其它网站等。
最常见的最经典的XSS bug语句:<script>alert(/XSS/)</script> 比如在存在XSS bug的网站的输入框输入前面的语句,当访问网页时会弹出对话框。
...............
本篇文章主要针对最近使用过的防御XSS的小工具——ESAPI,使用的是maven项目;在pom.xml 中加入依赖:
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.1.0</version>
</dependency>
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.7.3</version>
</dependency>在classpath下加入配置文件:validation.properties和ESAPI.properties
编写filter过滤器ManageSecurityFilter类实现 Filter接口,对所有后台请求使用filter过滤,在filter中将request中有隐患的关键字过滤掉。
import java.io.IOException;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* XSS安全过滤器
*
* @author wjl
* @date 2014-4-10 下午2:12:02
*/
public class ManageSecurityFilter implements Filter {
private static final String FILTER_APPLIED = ManageSecurityFilter.class.getName() + ".FILTERED";
private Set<String> excludePathRegex = new HashSet<String>();
public void setExcludePathRegex( Set<String> excludePathRegex ) {
this.excludePathRegex = excludePathRegex;
}
@Override
public void init( FilterConfig filterConfig ) throws ServletException {}
@Override
public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain ) throws IOException, ServletException {
if( !( request instanceof HttpServletRequest ) || !( response instanceof HttpServletResponse ) ) {
throw new ServletException( "XSSFilter just supports HTTP requests" );
}
HttpServletRequest httpRequest = ( HttpServletRequest )request;
String uri = httpRequest.getRequestURI();
for( String regex : excludePathRegex ) {
if( uri.matches( regex ) ) {
chain.doFilter( request, response );
return;
}
}
// Apply Filter
if( null != httpRequest.getAttribute( FILTER_APPLIED ) ) {
chain.doFilter( request, response );
return;
}
try {
request.setAttribute( FILTER_APPLIED, Boolean.TRUE );
SecurityRequestWrapper requestWrapper = new SecurityRequestWrapper( httpRequest );
chain.doFilter( requestWrapper, response );
} finally {
httpRequest.removeAttribute( FILTER_APPLIED );
}
}
@Override
public void destroy() {}
}在编写使用了ESAPI的类SecurityRequestWrapper
配置web.xml文件,在web.xml文件中加入:
<filter>
<filter-name>manageSecurityFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>manageSecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
配置spring配置文件,在servelt的配置文件中加入:
<!-- Security的beans -->
<bean id="manageSecurityFilter" class="com.baidu.disconf.web.security.ManageSecurityFilter">
<property name="excludePathRegex">
<set>
<value>/console/compass/manage.*</value>
<value>/console/coupon/.*</value>
<value>/console/customize/block/.*</value>
<value>/console/review/.*</value>
<value>/console/ripple/.*</value>
<value>/console/wdjcraw/.*</value>
<value>/console/audit/reason/.*</value>
<value>/console/audit/.*</value>
</set>
</property>
</bean>
最常见的最经典的XSS bug语句:<script>alert(/XSS/)</script> 比如在存在XSS bug的网站的输入框输入前面的语句,当访问网页时会弹出对话框。
...............
本篇文章主要针对最近使用过的防御XSS的小工具——ESAPI,使用的是maven项目;在pom.xml 中加入依赖:
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.1.0</version>
</dependency>
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.7.3</version>
</dependency>在classpath下加入配置文件:validation.properties和ESAPI.properties
编写filter过滤器ManageSecurityFilter类实现 Filter接口,对所有后台请求使用filter过滤,在filter中将request中有隐患的关键字过滤掉。
import java.io.IOException;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* XSS安全过滤器
*
* @author wjl
* @date 2014-4-10 下午2:12:02
*/
public class ManageSecurityFilter implements Filter {
private static final String FILTER_APPLIED = ManageSecurityFilter.class.getName() + ".FILTERED";
private Set<String> excludePathRegex = new HashSet<String>();
public void setExcludePathRegex( Set<String> excludePathRegex ) {
this.excludePathRegex = excludePathRegex;
}
@Override
public void init( FilterConfig filterConfig ) throws ServletException {}
@Override
public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain ) throws IOException, ServletException {
if( !( request instanceof HttpServletRequest ) || !( response instanceof HttpServletResponse ) ) {
throw new ServletException( "XSSFilter just supports HTTP requests" );
}
HttpServletRequest httpRequest = ( HttpServletRequest )request;
String uri = httpRequest.getRequestURI();
for( String regex : excludePathRegex ) {
if( uri.matches( regex ) ) {
chain.doFilter( request, response );
return;
}
}
// Apply Filter
if( null != httpRequest.getAttribute( FILTER_APPLIED ) ) {
chain.doFilter( request, response );
return;
}
try {
request.setAttribute( FILTER_APPLIED, Boolean.TRUE );
SecurityRequestWrapper requestWrapper = new SecurityRequestWrapper( httpRequest );
chain.doFilter( requestWrapper, response );
} finally {
httpRequest.removeAttribute( FILTER_APPLIED );
}
}
@Override
public void destroy() {}
}在编写使用了ESAPI的类SecurityRequestWrapper
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import org.jsoup.Jsoup; import org.jsoup.nodes.Document.OutputSettings; import org.jsoup.safety.Whitelist; import org.owasp.esapi.ESAPI; public class SecurityRequestWrapper extends HttpServletRequestWrapper { private final static Whitelist WHITELIST = Whitelist.relaxed(); private final static OutputSettings OUTPUTSETTINGS = new OutputSettings().prettyPrint( false ); static { WHITELIST.addTags( "embed", "object", "param", "span", "div", "img" ); WHITELIST.addAttributes( ":all", "style", "class", "id", "name" ); WHITELIST.addAttributes( "object", "width", "height", "classid", "codebase" ); WHITELIST.addAttributes( "param", "name", "value" ); WHITELIST.addAttributes( "embed", "src", "quality", "width", "height", "allowFullScreen", "allowScriptAccess", "flashvars", "name", "type", "pluginspage" ); } public SecurityRequestWrapper( HttpServletRequest servletRequest ) { super( servletRequest ); } @Override public String[] getParameterValues( String parameter ) { String[] values = super.getParameterValues( parameter ); if( null == values ) { return null; } int count = values.length; String[] encodedValues = new String[ count ]; for( int i = 0; i < count; i++ ) { encodedValues[ i ] = filterValue( values[ i ] ); } return encodedValues; } @Override public String getParameter( String parameter ) { String value = super.getParameter( parameter ); return filterValue( value ); } @Override public String getHeader( String name ) { String value = super.getHeader( name ); return filterValue( value ); } private String filterValue( String value ) { if( null != value ) { // avoid encoded attacks. value = ESAPI.encoder().canonicalize( value ); // Avoid null characters value = value.replaceAll( "\0", "" ); value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;"); value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;"); value = value.replaceAll("'", "& #39;"); value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); value = value.replaceAll("script", ""); // Clean out HTML value = Jsoup.clean( value, "", WHITELIST, OUTPUTSETTINGS ); } return value; } }
配置web.xml文件,在web.xml文件中加入:
<filter>
<filter-name>manageSecurityFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>manageSecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
配置spring配置文件,在servelt的配置文件中加入:
<!-- Security的beans -->
<bean id="manageSecurityFilter" class="com.baidu.disconf.web.security.ManageSecurityFilter">
<property name="excludePathRegex">
<set>
<value>/console/compass/manage.*</value>
<value>/console/coupon/.*</value>
<value>/console/customize/block/.*</value>
<value>/console/review/.*</value>
<value>/console/ripple/.*</value>
<value>/console/wdjcraw/.*</value>
<value>/console/audit/reason/.*</value>
<value>/console/audit/.*</value>
</set>
</property>
</bean>
相关文章推荐
- 内存调优工具-valgrind 的使用简介
- Internet应用简介和使用学习工具总结
- GCC 各工具使用简介
- python开发工具pycharm使用简介
- 关于网络资源HttpWatch工具简介及使用技巧
- 语言模型(一) 工具和使用简介
- Joda-Time 工具集简介-使用
- linux下的内核测试工具——perf使用简介
- 软件质量保证工具 lint使用简介
- sysbench压力测试工具简介和使用(二)
- 【转】HttpWatch工具简介及使用技巧
- soapUI工具使用方法、简介、接口测试
- sysbench压力测试工具简介和使用(一)
- soapUI工具使用方法、简介、接口测试
- 使用Java的POI工具进行Word的DOC文档转为HTML页面技术简介
- HttpWatch工具简介及使用技巧
- 敏捷开发工具Scrum Works使用简介
- HttpWatch工具简介及使用技巧
- [原创]HttpWatch工具简介及使用技巧