java代码审计--xss漏洞

漏洞两种情况
1.直接用request.getParameter(“参数”);去获取值 然后直接用println()输出
2.用request.setAttribute输出

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  <title>XSS Vulnerable</title>
</head>
<body>
<form action="index.jsp" method="post">
  Enter your name: <input type="text" name="name"><input type="submit">
</form>

<%
  if(request.getMethod().equalsIgnoreCase("post"))
  {
    String name = request.getParameter("name");
    if(!name.isEmpty())
    {
      out.println("<br>Hi "+name+". How are you?");
    }
  }
%>

</body>
</html>

防御方法
①引入框架的filter(即引用框架的全局过滤去处理)
②自己写定义编码转换

import org.apache.commons.lang.StringUtils;

private String htmlEncode(String content) {
    content = StringUtils.replace(content, "&", "&amp;");
    content = StringUtils.replace(content, "<", "&lt;");
    content = StringUtils.replace(content, ">", "&gt;");
    content = StringUtils.replace(content, "\"", "&quot;");
    content = StringUtils.replace(content, "'", "&#x27;");
    content = StringUtils.replace(content, "/", "&#x2F;");
    return content;
}
上一篇:thymeleaf的insert,replace,include区别


下一篇:python中replace不能把 \n 替换过去