Struts网站基于Filter的XSS漏洞修复
下面的代码只支持struts2框架中的xss漏洞
第一步,创建过滤器XssFilter :
package com.ulic.ulcif.filter; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import com.ulic.ulcif.requestwrapper.XssHttpServletRequestWrapper; /** * XSS防跨站脚本攻击过滤器 * */ public class XssFilter implements Filter { FilterConfig filterConfig = null; /** * Default constructor. */ public XssFilter() { } public void destroy() { this.filterConfig = null; } public void init(FilterConfig fConfig) throws ServletException { this.filterConfig = fConfig; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response); } }
第二步,创建业务操作XssHttpServletRequestWrapper:
package com.ulic.ulcif.requestwrapper; import java.util.Enumeration; import java.util.Map; import javax.servlet.http.HttpServletRequest; import org.apache.struts2.dispatcher.StrutsRequestWrapper; import org.springframework.util.CollectionUtils; /** * 写一个 Filter,使用 Filter 来过滤浏览器发出的请求。对每个 post 请求的参数过滤一些关键字,替换成安全的,例如:< > ' " \ / # & 。 * * 方法:实现一个自定义的 HttpServletRequestWrapper,然后在 Filter 里面调用它,替换掉 getParameter 函数即可 */ public class XssHttpServletRequestWrapper extends StrutsRequestWrapper { HttpServletRequest orgRequest = null; public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) { super(servletRequest); orgRequest = servletRequest; } /** * 重写getParameterValues方法 * 通过循环取出每一个请求结果 * 再对请求结果进行过滤 * */ public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); if (values == null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = cleanXSS(values[i]); } return encodedValues; } /** * 重写getParameter方法 * 对请求结果进行过滤 * */ public String getParameter(String parameter) { String value = super.getParameter(parameter); if (value == null) { return null; } return cleanXSS(value); } public String getHeader(String name) { String value = super.getHeader(name); if (value == null) return null; return cleanXSS(value); } /** * 获取最原始的request * * @return */ public HttpServletRequest getOrgRequest() { return orgRequest; } /** * 获取最原始的request的静态方法 * * @return */ public static HttpServletRequest getOrgRequest(HttpServletRequest req) { if (req instanceof XssHttpServletRequestWrapper) { return ((XssHttpServletRequestWrapper) req).getOrgRequest(); } return req; } @Override public Enumeration<String> getParameterNames() { Enumeration<String> names = super.getParameterNames(); while(names.hasMoreElements()){ String name = names.nextElement(); name = cleanXSS(name); } return names; } @Override public Map getParameterMap() { Map paramMap = super.getParameterMap(); if (CollectionUtils.isEmpty(paramMap)) { return paramMap; } for (Object value : paramMap.values()) { String[] str = (String[])value; if (str != null) { for (int i = 0; i < str.length; i++) { str[i] = cleanXSS(str[i]); } } } return paramMap; } private String cleanXSS(String value) { value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;"); //先暂时去除 英文括号的拦截 // value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;"); value = value.replaceAll("'", "& #39;"); value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']","\"\""); value = value.replaceAll("script", ""); value = value.replaceAll("alert", ""); return value; } }
第三步在web.xml中配置:
<filter> <filter-name>struts-xssFilter</filter-name> <filter-class> com.ulic.ulcif.filter.XssFilter </filter-class> </filter> <filter-mapping> <filter-name>struts-xssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
到此为止xss在struts2中得到了解决,那么非struts2中xss漏洞怎么解决呢,简单,将第二步换成:如下代码
package com.ulic.ulcif.requestwrapper; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; /** * 写一个 Filter,使用 Filter 来过滤浏览器发出的请求。对每个 post 请求的参数过滤一些关键字,替换成安全的,例如:< > ' " \ / # & 。 * * 方法:实现一个自定义的 HttpServletRequestWrapper,然后在 Filter 里面调用它,替换掉 getParameter 函数即可 */ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { HttpServletRequest orgRequest = null; public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) { super(servletRequest); orgRequest = servletRequest; } /** * 重写getParameterValues方法 * 通过循环取出每一个请求结果 * 再对请求结果进行过滤 * */ public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); if (values == null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = cleanXSS(values[i]); } return encodedValues; } /** * 重写getParameter方法 * 对请求结果进行过滤 * */ public String getParameter(String parameter) { String value = super.getParameter(parameter); if (value == null) { return null; } return cleanXSS(value); } public String getHeader(String name) { String value = super.getHeader(name); if (value == null) return null; return cleanXSS(value); } private String cleanXSS(String value) { value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;"); //先暂时去除 英文括号的拦截 // value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;"); value = value.replaceAll("'", "& #39;"); value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']","\"\""); value = value.replaceAll("script", ""); value = value.replaceAll("alert", ""); return value; } }
if you want to go fast,go alone,if you want to go far,go together
