XSS跨站点脚本攻击
XSS攻击:跨站脚本攻击(Cross Site Scripting),为不和层叠样式表(Cascading Style Sheets, CSS)的缩写混淆,故将跨站脚本攻击缩写为XSS。
以下为Java web项目中的解决方案:
Filter代码:
import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import org.apache.commons.lang.StringUtils; import com.fengling.core.web.util.URLHelper; public class XssFilter implements Filter { private String filterChar; private String replaceChar; private String splitChar; private String excludeUrls; FilterConfig filterConfig = null; public void init(FilterConfig filterConfig) throws ServletException { this.filterChar=filterConfig.getInitParameter("FilterChar"); this.replaceChar=filterConfig.getInitParameter("ReplaceChar"); this.splitChar=filterConfig.getInitParameter("SplitChar"); this.excludeUrls=filterConfig.getInitParameter("excludeUrls"); this.filterConfig = filterConfig; } public void destroy() { this.filterConfig = null; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if(isExcludeUrl(request)){ chain.doFilter(request, response); }else{ chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request,filterChar,replaceChar,splitChar), response); } } private boolean isExcludeUrl(ServletRequest request){ boolean exclude=false; if(StringUtils.isNotBlank(excludeUrls)){ String[]excludeUrl=excludeUrls.split(splitChar); if(excludeUrl!=null&&excludeUrl.length>0){ for(String url:excludeUrl){ if(URLHelper.getURI((HttpServletRequest)request).startsWith(url)){ exclude=true; } } } } return exclude; } }
XssHttpServletRequestWrapper代码:
import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { private String[]filterChars; private String[]replaceChars; public XssHttpServletRequestWrapper(HttpServletRequest request,String filterChar,String replaceChar,String splitChar) { super(request); if(filterChar!=null&&filterChar.length()>0){ filterChars=filterChar.split(splitChar); } if(replaceChar!=null&&replaceChar.length()>0){ replaceChars=replaceChar.split(splitChar); } } public String getQueryString() { String value = super.getQueryString(); if (value != null) { value = xssEncode(value); } return value; } /** * 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/> * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/> * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖 */ public String getParameter(String name) { String value = super.getParameter(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } public String[] getParameterValues(String name) { String[]parameters=super.getParameterValues(name); if (parameters==null||parameters.length == 0) { return null; } for (int i = 0; i < parameters.length; i++) { parameters[i] = xssEncode(parameters[i]); } return parameters; } /** * 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/> * 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/> getHeaderNames 也可能需要覆盖 */ public String getHeader(String name) { String value = super.getHeader(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 将容易引起xss漏洞的半角字符直接替换成全角字符 * * @param s * @return */ private String xssEncode(String s) { if (s == null || s.equals("")) { return s; } try { s = URLDecoder.decode(s, "UTF8"); } catch (UnsupportedEncodingException e) { // TODO Auto-generated catch block e.printStackTrace(); } for (int i = 0; i < filterChars.length; i++) { if(s.contains(filterChars[i])){ s=s.replace(filterChars[i], replaceChars[i]); } } return s; } }
web.xml中配置:
<!--@分隔--> <filter> <filter-name>XssFilter</filter-name> <filter-class>com.fengling.common.web.XssFilter</filter-class> <init-param> <param-name>excludeUrls</param-name> <param-value>/member/contribute@/admin/fengling@/flow_statistic</param-value> </init-param> <init-param> <param-name>SplitChar</param-name> <param-value>@</param-value> </init-param> <init-param> <param-name>FilterChar</param-name> <param-value>'@"@\@#@:@%@;@></param-value> </init-param> <init-param> <param-name>ReplaceChar</param-name> <param-value>‘@“@\@#@:@%@;@></param-value> </init-param> </filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
