XSS抵御脚本攻击
XSS攻击的基本概念主要是:
恶意用户在网页的可输入的地方输入可执行的脚本(如javascript)代码,从而使网页解析执行该脚本代码来达到攻击的效果, 比如在网站上写一篇文章时包含这段代码: ,如果该字符串在后台没有进行XSS攻击防范,就会导致导致其他人访问该文章时网页执行上面的脚本从而alert(1).
防止XSS攻击最主要方式 :
把特殊标签符号转码,比如把”<”, “>”, “&”等这些特殊字符转码即可防止XSS攻击.
要考虑代码的维护问题,我们不能把太多的XSS防攻击代码侵入到业务代码中, 我们可以使用过滤器的方式来转换编码.在过滤器中获取每一个参数进行转换编码:
做法:
1. 在web.xml中加入filter如下:
</filter-mapping>
<!-- XSS抵御脚本攻击 -->
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>com.pupeiyuan.system.core.filter.XSSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
XSSFilter.java
package com.pupeiyuan.system.core.filter; import java.io.IOException; import java.util.LinkedHashMap; import java.util.Map; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; public class XSSFilter implements Filter { // XSS处理Map private static Map<String,String> xssMap = new LinkedHashMap<String,String>(); public void init(FilterConfig filterConfig) throws ServletException { // 含有脚本: script xssMap.put("[s|S][c|C][r|R][i|C][p|P][t|T]", ""); // 含有脚本 javascript xssMap.put("[\\\"\\\'][\\s]*[j|J][a|A][v|V][a|A][s|S][c|C][r|R][i|I][p|P][t|T]:(.*)[\\\"\\\']", "\"\""); // 含有函数: eval xssMap.put("[e|E][v|V][a|A][l|L]\\((.*)\\)", ""); // 含有符号 < xssMap.put("<", "<"); // 含有符号 > xssMap.put(">", ">"); // 含有符号 ( xssMap.put("\\(", "("); // 含有符号 ) xssMap.put("\\)", ")"); // 含有符号 ' xssMap.put("'", "'"); // 含有符号 " xssMap.put("\"", ""); } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // 强制类型转换 HttpServletRequest HttpServletRequest httpReq = (HttpServletRequest)request; // 构造HttpRequestWrapper对象处理XSS HttpRequestWrapper httpReqWarp = new HttpRequestWrapper(httpReq,xssMap); // chain.doFilter(httpReqWarp, response); } public void destroy() { } }
HttpRequestWrapper.java
package com.pupeiyuan.system.core.filter; import java.util.Map; import java.util.Set; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public final class HttpRequestWrapper extends HttpServletRequestWrapper { private Map<String, String> xssMap; public HttpRequestWrapper(HttpServletRequest request) { super(request); } public HttpRequestWrapper(HttpServletRequest request, Map<String, String> xssMap) { super(request); this.xssMap = xssMap; } @Override public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); if (values == null) { return null; } int count = values.length; // 遍历每一个参数,检查是否含有 String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = cleanXSS(values[i]); } return encodedValues; } @Override public String getParameter(String parameter) { String value = super.getParameter(parameter); if (value == null) { return null; } return cleanXSS(value); } public String getHeader(String name) { String value = super.getHeader(name); if (value == null) return null; return cleanXSS(value); } /** * 清除恶意的XSS脚本 * * @param value * @return */ private String cleanXSS(String value) { Set<String> keySet = xssMap.keySet(); for(String key : keySet){ String v = xssMap.get(key); value = value.replaceAll(key,v); } return value; } }
划船不用桨、杨帆不等风、一生全靠浪
