系统安全 Spring MVC通过拦截器处理sql注入、跨站XSS攻击风险
1.问题描述:攻客通过向请求的url插入框架(<iframe>)、sql、 链接等内容从而达到获取用户信息等目的
2.问题解决:通过拦截器过滤特殊字符如:!@#$%^&*()_+<>,./ 等
3.java实现
直接写一个spring的拦截器来处理一下,sql注入的就直接拦截不给访问了,因为一些乱七八糟的参数也是无法正常继续访问的,其他注入清理一下就行了:
package org.jeecgframework.core.interceptors; import java.util.Enumeration; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.servlet.ModelAndView; public class SqlInjectInterceptor implements HandlerInterceptor{ @Override public void afterCompletion(HttpServletRequest arg0, HttpServletResponse arg1, Object arg2, Exception arg3) throws Exception { // TODO Auto-generated method stub } @Override public void postHandle(HttpServletRequest arg0, HttpServletResponse arg1, Object arg2, ModelAndView arg3) throws Exception { // TODO Auto-generated method stub } @Override public boolean preHandle(HttpServletRequest arg0, HttpServletResponse arg1, Object arg2) throws Exception { Enumeration<String> names = arg0.getParameterNames(); while(names.hasMoreElements()){ String name = names.nextElement(); String[] values = arg0.getParameterValues(name); for(String value: values){ //sql注入直接拦截 if(judgeSQLInject(value.toLowerCase())){ arg1.setContentType("text/html;charset=UTF-8"); arg1.getWriter().print("参数含有非法攻击字符,已禁止继续访问!"); return false; } //跨站xss清理 clearXss(value); } } return true; } /** * 判断参数是否含有攻击串 * @param value * @return */ public boolean judgeSQLInject(String value){ if(value == null || "".equals(value)){ return false; } String xssStr = "and|or|select|update|delete|drop|truncate|%20|=|-|--|;|'|%|#|+|,|//|/| |\\|!=|(|)"; String[] xssArr = xssStr.split("\\|"); for(int i=0;i<xssArr.length;i++){ if(value.indexOf(xssArr[i])>-1){ return true; } } return false; } /** * 处理跨站xss字符转义 * * @param value * @return */ private String clearXss(String value) { if (value == null || "".equals(value)) { return value; } value = value.replaceAll("<", "<").replaceAll(">", ">"); value = value.replaceAll("\\(", "(").replace("\\)", ")"); value = value.replaceAll("'", "'"); value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); value = value.replace("script", ""); return value; } }
然后spring-mvc.xml配置中加入拦截器:
<mvc:interceptor> <mvc:mapping path="/**" /> <bean class="org.jeecgframework.core.interceptors.SqlInjectInterceptor" /> </mvc:interceptor>
最后说明:这个过滤器是过滤参数的,因此会对用户传入内容,开发者规定内容很有要求,像 逗号,括号 这些特殊字符在程序中或者用户传入内容是很常用的。因此会比较难以
控制,可能会导致很多请求被拦截