xss攻击防御
2017-12-17 14:52
281 查看
HttpServletRequestWrapper的子类中的方法没有被调用
XssHttpServletRequestWrapper中的方法没有被调用
(GET /ranking/category-hb/&cat=bh%22onmouseover=alert(9713)%3E%22)@416977618 org.eclipse.jetty.server.Request@18da92d2
https://b.svncode.cnsuning.com/svn/SES-TOOLS/branches/ses-tools_V2.0.1/
7月7日:独立解决XSS攻击问题:
/*方法一,可用,但是是阻止访问
*
HttpServletRequest req=(HttpServletRequest)request;
String
servletPath = req.getServletPath();
boolean
aa = servletPath.contains("\"");
if(aa)
{
return
;
}
else
{
//String
cleanPath = processXSS(servletPath);
chain.doFilter(req,
response);
}*/
方法二:仅适用于URL中的参数注入
注入的URL为:http://10.24.11.49:9080/rs/app?q=12321&jsonpCallback=%3Cbody%20onpageshow=parent[%27aler%27+%27t%27]()%3E%3Ca%20href=%22javascript:alert`1`%22%3E%3Cimg%20src=%221%22%3E%3Ca%3EjQuery17208732702348462678_1513828619112&_=1513836398914
会在返回的结果中注入一个弹出按钮
解决方法:
1、web.xml配置:
<filter>
<filter-name>myXssFilter</filter-name>
<filter-class>com.app.MyXssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>myXssFilter</filter-name>
<url-pattern>/ranking/*</url-pattern>
</filter-mapping>
2、MyXssFilter.java
package com.app.MyXssFilter;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class MyXssFilter implements Filter{
@SuppressWarnings("unused")
private FilterConfig filterConfig;
public void destroy() {
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req=(HttpServletRequest)request;
HttpServletRequest reqClean = new MyXssHttpServletRequestWrapper(req);
//更改前
//test(req);
//更改URL后
//test(reqClean);
chain.doFilter(reqClean, response);
}
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
//测试更改前后的页面参数
public void test(HttpServletRequest req) throws IOException, ServletException {
java.util.Enumeration params = req.getParameterNames();
req.setCharacterEncoding("UTF-8");
while (params.hasMoreElements()){
String param = (String) params.nextElement(); //获取请求中的参数
String[] values = req.getParameterValues(param);//获得每个参数对应的值
for (int i = 0; i < values.length; i++) {
System.out.println(values[i]);
}
}
}
}
3、MyXssHttpServletRequestWrapper.java:关键getParameter(String name)和getParameterValues(String name)
package com.app.service;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class MyXssHttpServletRequestWrapper extends HttpServletRequestWrapper{
public MyXssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String getServletPath(){
String value = super.getServletPath();
return processXSS(value);
}
@Override
public String getParameter(String name) {
// 返回值之前 先进行过滤
return processXSS(super.getParameter(processXSS(name)));
}
@Override
public String[] getParameterValues(String name) {
// 返回值之前 先进行过滤
String[] values = super.getParameterValues(processXSS(name));
if(values != null){
for (int i = 0; i < values.length; i++) {
values[i] = processXSS(values[i]);
}
}
return values;
}
private String processXSS(String s) {
if (s == null || "".equals(s)) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
//handle the '<' and '>' which can be used for constructing <script> and </script>
case '>':
sb.append('>');
break;
case '<':
sb.append('<');
break;
//since the html can support the characters using $#number format
//so here also need to escape '#','&' and quote symbol
case '\'':
sb.append('‘');
break;
case '\"':
sb.append('“');
break;
case '&':
sb.append('&');
break;
case '\\':
sb.append('\');
break;
case '#':
sb.append('#');
break;
//if not the special characters ,then output it directly
default:
sb.append(c);
break;
}
}
return sb.toString();
}
}
方法三:真正做到防止URL注入的方法:
URL为:
(GET /ranking/category-hb/&cat=bh%22onmouseover=alert(9713)%3E%22)@416977618 org.eclipse.jetty.server.Request@18da92d2
1、web.xml配置:
<filter>
<filter-name>myXssFilter</filter-name>
<filter-class>com.su.se.comp.service.myXssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>myXssFilter</filter-name>
<url-pattern>/ranking/*</url-pattern>
</filter-mapping>
2、写一个自己的过滤器
package com.su.se.comp.service;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class myXssFilter implements Filter{
@SuppressWarnings("unused")
private
FilterConfig filterConfig;
public
void destroy() {
this.filterConfig = null;
}
public
void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest
req=(HttpServletRequest)request;
HttpServletRequest
reqClean = new myXssHttpServletRequestWrapper(req);
String
servletPath = req.getServletPath();//更改URL前
String
servletPathOfClean = reqClean.getServletPath();//更改URL后
chain.doFilter(reqClean,
response);
}
public
void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
}
3、关键点:重写HttpServletRequestWrapper包装类myXssHttpServletRequestWrapper类,目的是为了改写URL中的特殊符号:关键getServletPath()
package com.su.se.compass.service;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class myXssHttpServletRequestWrapper extends HttpServletRequestWrapper{
public
myXssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public
String getServletPath(){
String
value = super.getServletPath();
return
processXSS(value);
}
private
String processXSS(String s) {
if (s == null || "".equals(s)) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
//handle the '<' and '>' which can be used for constructing <script> and </script>
case '>':
sb.append('>');
break;
case '<':
sb.append('<');
break;
//since the html can support the characters using $#number format
//so here also need to escape '#','&' and quote symbol
case '\'':
sb.append('‘');
break;
case '\"':
sb.append('“');
break;
case '&':
sb.append('&');
break;
case '\\':
sb.append('\');
break;
case '#':
sb.append('#');
break;
//if not the special characters ,then output it directly
default:
sb.append(c);
break;
}
}
return sb.toString();
}
}
XssHttpServletRequestWrapper中的方法没有被调用
(GET /ranking/category-hb/&cat=bh%22onmouseover=alert(9713)%3E%22)@416977618 org.eclipse.jetty.server.Request@18da92d2
https://b.svncode.cnsuning.com/svn/SES-TOOLS/branches/ses-tools_V2.0.1/
7月7日:独立解决XSS攻击问题:
/*方法一,可用,但是是阻止访问
*
HttpServletRequest req=(HttpServletRequest)request;
String
servletPath = req.getServletPath();
boolean
aa = servletPath.contains("\"");
if(aa)
{
return
;
}
else
{
//String
cleanPath = processXSS(servletPath);
chain.doFilter(req,
response);
}*/
方法二:仅适用于URL中的参数注入
注入的URL为:http://10.24.11.49:9080/rs/app?q=12321&jsonpCallback=%3Cbody%20onpageshow=parent[%27aler%27+%27t%27]()%3E%3Ca%20href=%22javascript:alert`1`%22%3E%3Cimg%20src=%221%22%3E%3Ca%3EjQuery17208732702348462678_1513828619112&_=1513836398914
会在返回的结果中注入一个弹出按钮
解决方法:
1、web.xml配置:
<filter>
<filter-name>myXssFilter</filter-name>
<filter-class>com.app.MyXssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>myXssFilter</filter-name>
<url-pattern>/ranking/*</url-pattern>
</filter-mapping>
2、MyXssFilter.java
package com.app.MyXssFilter;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class MyXssFilter implements Filter{
@SuppressWarnings("unused")
private FilterConfig filterConfig;
public void destroy() {
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req=(HttpServletRequest)request;
HttpServletRequest reqClean = new MyXssHttpServletRequestWrapper(req);
//更改前
//test(req);
//更改URL后
//test(reqClean);
chain.doFilter(reqClean, response);
}
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
//测试更改前后的页面参数
public void test(HttpServletRequest req) throws IOException, ServletException {
java.util.Enumeration params = req.getParameterNames();
req.setCharacterEncoding("UTF-8");
while (params.hasMoreElements()){
String param = (String) params.nextElement(); //获取请求中的参数
String[] values = req.getParameterValues(param);//获得每个参数对应的值
for (int i = 0; i < values.length; i++) {
System.out.println(values[i]);
}
}
}
}
3、MyXssHttpServletRequestWrapper.java:关键getParameter(String name)和getParameterValues(String name)
package com.app.service;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class MyXssHttpServletRequestWrapper extends HttpServletRequestWrapper{
public MyXssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String getServletPath(){
String value = super.getServletPath();
return processXSS(value);
}
@Override
public String getParameter(String name) {
// 返回值之前 先进行过滤
return processXSS(super.getParameter(processXSS(name)));
}
@Override
public String[] getParameterValues(String name) {
// 返回值之前 先进行过滤
String[] values = super.getParameterValues(processXSS(name));
if(values != null){
for (int i = 0; i < values.length; i++) {
values[i] = processXSS(values[i]);
}
}
return values;
}
private String processXSS(String s) {
if (s == null || "".equals(s)) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
//handle the '<' and '>' which can be used for constructing <script> and </script>
case '>':
sb.append('>');
break;
case '<':
sb.append('<');
break;
//since the html can support the characters using $#number format
//so here also need to escape '#','&' and quote symbol
case '\'':
sb.append('‘');
break;
case '\"':
sb.append('“');
break;
case '&':
sb.append('&');
break;
case '\\':
sb.append('\');
break;
case '#':
sb.append('#');
break;
//if not the special characters ,then output it directly
default:
sb.append(c);
break;
}
}
return sb.toString();
}
}
方法三:真正做到防止URL注入的方法:
URL为:
(GET /ranking/category-hb/&cat=bh%22onmouseover=alert(9713)%3E%22)@416977618 org.eclipse.jetty.server.Request@18da92d2
1、web.xml配置:
<filter>
<filter-name>myXssFilter</filter-name>
<filter-class>com.su.se.comp.service.myXssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>myXssFilter</filter-name>
<url-pattern>/ranking/*</url-pattern>
</filter-mapping>
2、写一个自己的过滤器
package com.su.se.comp.service;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class myXssFilter implements Filter{
@SuppressWarnings("unused")
private
FilterConfig filterConfig;
public
void destroy() {
this.filterConfig = null;
}
public
void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest
req=(HttpServletRequest)request;
HttpServletRequest
reqClean = new myXssHttpServletRequestWrapper(req);
String
servletPath = req.getServletPath();//更改URL前
String
servletPathOfClean = reqClean.getServletPath();//更改URL后
chain.doFilter(reqClean,
response);
}
public
void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
}
3、关键点:重写HttpServletRequestWrapper包装类myXssHttpServletRequestWrapper类,目的是为了改写URL中的特殊符号:关键getServletPath()
package com.su.se.compass.service;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class myXssHttpServletRequestWrapper extends HttpServletRequestWrapper{
public
myXssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public
String getServletPath(){
String
value = super.getServletPath();
return
processXSS(value);
}
private
String processXSS(String s) {
if (s == null || "".equals(s)) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
//handle the '<' and '>' which can be used for constructing <script> and </script>
case '>':
sb.append('>');
break;
case '<':
sb.append('<');
break;
//since the html can support the characters using $#number format
//so here also need to escape '#','&' and quote symbol
case '\'':
sb.append('‘');
break;
case '\"':
sb.append('“');
break;
case '&':
sb.append('&');
break;
case '\\':
sb.append('\');
break;
case '#':
sb.append('#');
break;
//if not the special characters ,then output it directly
default:
sb.append(c);
break;
}
}
return sb.toString();
}
}