XSS跨站点脚本攻击

2022-11-16 15:12:17

XSS攻击:跨站脚本攻击(Cross Site Scripting),为不和层叠样式表(Cascading Style Sheets, CSS)的缩写混淆,故将跨站脚本攻击缩写为XSS。

以下为Java web项目中的解决方案:

Filter代码:

import java.io.IOException;

import javax.servlet.Filter;

import javax.servlet.FilterChain;

import javax.servlet.FilterConfig;

import javax.servlet.ServletException;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.HttpServletRequest;

import org.apache.commons.lang.StringUtils;

import com.fengling.core.web.util.URLHelper;

public class XssFilter implements Filter {

    private String filterChar;

    private String replaceChar;

    private String splitChar;

    private String excludeUrls;

    FilterConfig filterConfig = null;

    public void init(FilterConfig filterConfig) throws ServletException {

        this.filterChar=filterConfig.getInitParameter("FilterChar");

        this.replaceChar=filterConfig.getInitParameter("ReplaceChar");

        this.splitChar=filterConfig.getInitParameter("SplitChar");

        this.excludeUrls=filterConfig.getInitParameter("excludeUrls");

        this.filterConfig = filterConfig;

    }

    public void destroy() {

        this.filterConfig = null;

    }

    public void doFilter(ServletRequest request, ServletResponse response,

    FilterChain chain) throws IOException, ServletException {

        if(isExcludeUrl(request)){

            chain.doFilter(request, response);

        }else{

            chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request,filterChar,replaceChar,splitChar), response);

        }

    }

    private boolean isExcludeUrl(ServletRequest request){

        boolean exclude=false;

        if(StringUtils.isNotBlank(excludeUrls)){

             String[]excludeUrl=excludeUrls.split(splitChar);

             if(excludeUrl!=null&&excludeUrl.length>0){

                 for(String url:excludeUrl){

                     if(URLHelper.getURI((HttpServletRequest)request).startsWith(url)){

                         exclude=true;

                     }

                 }

             }

        }

        return exclude;

    }

}

XssHttpServletRequestWrapper代码:

import java.io.UnsupportedEncodingException;

import java.net.URLDecoder;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletRequestWrapper;

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

    private String[]filterChars;

    private String[]replaceChars;

    public XssHttpServletRequestWrapper(HttpServletRequest request,String filterChar,String replaceChar,String splitChar) {

        super(request);

        if(filterChar!=null&&filterChar.length()>0){

            filterChars=filterChar.split(splitChar);

        }

        if(replaceChar!=null&&replaceChar.length()>0){

            replaceChars=replaceChar.split(splitChar);

        }

    }

    public String getQueryString() {

        String value = super.getQueryString();

        if (value != null) {

            value = xssEncode(value);

        }

        return value;

    }

    /**

     * 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/>

     * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/>

     * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖

     */

    public String getParameter(String name) {

        String value = super.getParameter(xssEncode(name));

        if (value != null) {

            value = xssEncode(value);

        }

        return value;

    }

    public String[] getParameterValues(String name) {

        String[]parameters=super.getParameterValues(name);

        if (parameters==null||parameters.length == 0) {

            return null;

        }

        for (int i = 0; i < parameters.length; i++) {

            parameters[i] = xssEncode(parameters[i]);

        }

        return parameters;

    }

    /**

     * 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/>

     * 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/> getHeaderNames 也可能需要覆盖

     */

    public String getHeader(String name) {

        String value = super.getHeader(xssEncode(name));

        if (value != null) {

            value = xssEncode(value);

        }

        return value;

    }

    /**

     * 将容易引起xss漏洞的半角字符直接替换成全角字符

     *

     * @param s

     * @return

     */

    private  String xssEncode(String s) {

        if (s == null || s.equals("")) {

            return s;

        }

        try {

            s = URLDecoder.decode(s, "UTF8");

        } catch (UnsupportedEncodingException e) {

            // TODO Auto-generated catch block

            e.printStackTrace();

        }

        for (int i = 0; i < filterChars.length; i++) {

            if(s.contains(filterChars[i])){

                s=s.replace(filterChars[i], replaceChars[i]);

            }

        }

        return s;

    }

}

web.xml中配置:

<!--@分隔-->

    <filter>

        <filter-name>XssFilter</filter-name>

        <filter-class>com.fengling.common.web.XssFilter</filter-class>

        <init-param>

            <param-name>excludeUrls</param-name>

            <param-value>/member/contribute@/admin/fengling@/flow_statistic</param-value>

        </init-param>

        <init-param>

            <param-name>SplitChar</param-name>

            <param-value>@</param-value>

        </init-param>

        <init-param>

            <param-name>FilterChar</param-name>

            <param-value>'@"@\@#@:@%@;@></param-value>

        </init-param>

        <init-param>

            <param-name>ReplaceChar</param-name>

            <param-value>‘@“@\@#@:@%@;@></param-value>

        </init-param>

    </filter>

    <filter-mapping>

        <filter-name>XssFilter</filter-name>

        <url-pattern>/*</url-pattern>

    </filter-mapping>

上一篇:C++ Lambda表达式用法


下一篇:python 闯关之路三(面向对象与网络编程)