解决目标URL存在http host头攻击漏洞
<filter> <filter-name>HttpHostFilter</filter-name> <filter-class>com.ytd.httpHostHeaderfilter.HttpHostFilter</filter-class> </filter> <filter-mapping> <filter-name>HttpHostFilter</filter-name> <url-pattern>*.ht</url-pattern> </filter-mapping>
package com.httpHostHeaderfilter; import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.util.HashMap; import java.util.Map; import java.util.Properties; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.hotent.core.util.StringUtil; public class HttpHostFilter implements Filter { protected Logger logger = LoggerFactory.getLogger(HttpHostFilter.class); @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void destroy() { } @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; //加上“点击劫持:X-Frame-Options未配置”配置 response.addHeader("X-Frame-Options","SAMEORIGIN"); //加上检测到目标Content-Security-Policy响应头缺失的问题修复 response.addHeader("Content-Security-Policy","object-src 'self'"); //关于检测到目标X-Content-Type-Options响应头缺失的问题修复 response.addHeader("X-Content-Type-Options","nosniff"); //关于检测到目标X-XSS-Protection响应头缺失的问题修复 response.addHeader("X-XSS-Protection","1; mode=block"); //关于检测到目标Strict-Transport-Security响应头缺失的问题修复 response.addHeader("Strict-Transport-Security","max-age=63072000; includeSubdomains; preload"); //关于检测到目标Referer-Policy响应头缺失的问题修复 response.addHeader("Referer-Policy","origin"); //关于检测到目标X-Permitted-Cross-Domain-Policies响应头缺失的问题修复 response.addHeader("X-Permitted-Cross-Domain-Policies","master-only"); //关于检测到目标X-Download-Options响应头缺失的问题修复 response.addHeader("X-Download-Options","noopen"); //关于 CORS跨域资源共享漏洞 response.addHeader("Access-Control-Allow-Origin", ""); response.addHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS"); response.addHeader("Access-Control-Allow-Headers", "Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With"); // 头攻击检测 过滤主机名 String requestHost = request.getHeader("host"); if (requestHost != null && !checkBlankList(requestHost)) { response.setStatus(403); return; } filterChain.doFilter(request, response); } //判断主机是否存在白名单中 private boolean checkBlankList(String host){ Map<String, String> msg = this.getMsg(); String ip = msg.get("ip"); host=host.replace(".", "").trim(); host=host.replace(":", "").trim(); ip=ip.replace(".", "").trim(); //此处为自己项目网站的主机地址 if(host.contains(ip)){ return true; } return false; } /** * @return Map<String,String> ip和端口,单独抽到配置文件,方便维护 */ public Map<String, String> getMsg() { Map<String, String> map = new HashMap<String, String>(); String dirPath = HttpHostFilter.class.getClassLoader().getResource("/").getPath() + File.separator + "conf"; // logger.info("根路径.....dirPaht=" + dirPath); Properties p = new Properties(); try { // logger.info("开始,获取xx数据 ....."+sdf.format(e.getRq())); p.load(new FileInputStream(dirPath + File.separator + "app.properties")); String host = p.getProperty("officeIp"); if (StringUtil.isEmpty(host)) { host = "10.151.209.77"; // host = "127.0.0.1"; } map.put("ip", host); } catch (Exception e1) { e1.printStackTrace(); logger.info("初始化失败 获取配置文件ip失败--->=" + e1.getMessage()); } // logger.info("map===" + map); return map; } }
app.properties文件在最后一行添加的
officeIp=10.150.209.xx(这个ip是办公网的,即内网映射出来的ip)
