SpringBoot Xss漏洞修复
原文链接:https://www.cnblogs.com/zhangruifeng/p/16082741.html
1、过滤SQL、JS脚本
1.1、添加pom依赖
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
<version>1.4</version>
</dependency>
1.2、创建XssAndSqlHttpServletRequestWrapper
package cn.vantee.util;
import org.apache.commons.text.StringEscapeUtils;
import org.springframework.util.StringUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
/**
* @author :rayfoo@qq.com
* @date :Created in 2022/3/31 16:46
* @description:xss过滤
* @modified By:
* @version: 1.0.0
*/
public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {
private HttpServletRequest request;
public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
this.request = request;
}
/**
* 假如有有html 代码是自己传来的 需要设定对应的name 不走StringEscapeUtils.escapeHtml4(value) 过滤
*/
@Override
public String getParameter(String name) {
String value = request.getParameter(name);
if (!StringUtils.isEmpty(value)) {
value = StringEscapeUtils.escapeHtml4(value);
}
return value;
}
@Override
public String[] getParameterValues(String name) {
String[] parameterValues = super.getParameterValues(name);
if (parameterValues == null) {
return null;
}
for (int i = 0; i < parameterValues.length; i++) {
String value = parameterValues[i];
parameterValues[i] = StringEscapeUtils.escapeHtml4(value);
}
return parameterValues;
}
}
1.3、创建XssStringJsonSerializer
package cn.vantee.util;
import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.databind.JsonSerializer;
import com.fasterxml.jackson.databind.SerializerProvider;
import org.apache.commons.text.StringEscapeUtils;
import java.io.IOException;
/**
* @author :rayfoo@qq.com
* @date :Created in 2022/3/31 16:47
* @description:xss过滤
* @modified By:
* @version: 1.0.0
*/
public class XssStringJsonSerializer extends JsonSerializer<String> {
@Override
public Class<String> handledType() {
return String.class;
}
/**
* 假如有有html 代码是自己传来的 需要设定对应的name 不走StringEscapeUtils.escapeHtml4(value) 过滤
*/
@Override
public void serialize(String value, JsonGenerator jsonGenerator, SerializerProvider serializerProvider)
throws IOException {
if (value != null) {
String encodedValue = StringEscapeUtils.escapeHtml4(value);
jsonGenerator.writeString(encodedValue);
}
}
}
1.4、创建过滤器
package cn.vantee.filter;
import cn.vantee.util.XssAndSqlHttpServletRequestWrapper;
import cn.vantee.util.XssStringJsonSerializer;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.module.SimpleModule;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Primary;
import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* @author :rayfoo@qq.com
* @date :Created in 2022/3/31 10:53
* @description:xss过滤
* @modified By:
* @version: 1.0.0
*/
@WebFilter(filterName = "xssFilter", urlPatterns = "/*", asyncSupported = true)
@Component
public class XssFilter implements Filter {
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
// TODO Auto-generated method stub
HttpServletRequest req = (HttpServletRequest) request;
XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(req);
chain.doFilter(xssRequestWrapper, response);
}
@Override
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
}
@Bean
@Primary
public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {
// 解析器
ObjectMapper objectMapper = builder.createXmlMapper(false).build();
// 注册xss解析器
SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer");
xssModule.addSerializer(new XssStringJsonSerializer());
objectMapper.registerModule(xssModule);
// 返回
return objectMapper;
}
}
@Primary 注解优先走这个Bean方法。
asyncSupported = true 配置支持异步,sync-supported是servlet 3.0后推出的新特性
5、验证
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<form action="/test">
<input type="text" name="params">
<input type="submit">
</form>
</body>
</html>
package cn.vantee.controller;
import cn.vantee.service.TestService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
/**
* @author :rayfoo@qq.com
* @date :Created in 2022/3/29 14:53
* @description:测试Controller
* @modified By:
* @version: 1.0.0
*/
@RestController
public class TestController {
@Autowired
public TestService testService;
@GetMapping("/test")
public String test(String params){
System.out.println(params);
return params;
}
}
输入:
<script>hello world</scrpit>
输出:
<script>hello world</scrpit>
2、设置HttpOnly
2.1、什么是HttpOnly
如果cookie中设置了HttpOnly属性,那么通过js脚本将无法读取到cookie信息,这样能有效的防止XSS攻击,窃取cookie内容,这样就增加了cookie的安全性,即便是这样,也不要将重要信息存入cookie。XSS全称Cross SiteScript,跨站脚本攻击,是Web程序中常见的漏洞,XSS属于被动式且用于客户端的攻击方式,所以容易被忽略其危害性。其原理是攻击者向有XSS漏洞的网站中输入(传入)恶意的HTML代码,当其它用户浏览该网站时,这段HTML代码会自动执行,从而达到攻击的目的。如,盗取用户Cookie、破坏页面结构、重定向到其它网站等。
2.2、如何设置
案例:
response.addHeader("Set-Cookie", "username=123456; Path=/; HttpOnly")