SpringBoot Xss漏洞修复

SpringBoot Xss漏洞修复

xss是什么就不赘述了,你看到这里肯定也知道了。SpringBoot修复Xss漏洞有两种方案:

1、过滤SQL、JS脚本

1.1、添加pom依赖

  <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-text</artifactId>
       <version>1.4</version>
   </dependency>

1.2、创建XssAndSqlHttpServletRequestWrapper

package cn.vantee.util;

import org.apache.commons.text.StringEscapeUtils;
import org.springframework.util.StringUtils;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

/**
 * @author :rayfoo@qq.com
 * @date :Created in 2022/3/31 16:46
 * @description:xss过滤
 * @modified By:
 * @version: 1.0.0
 */
public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {

    private HttpServletRequest request;

    public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        this.request = request;
    }

    /**
     * 假如有有html 代码是自己传来的  需要设定对应的name 不走StringEscapeUtils.escapeHtml4(value) 过滤
     */
    @Override
    public String getParameter(String name) {
        String value = request.getParameter(name);
        if (!StringUtils.isEmpty(value)) {
            value = StringEscapeUtils.escapeHtml4(value);
        }
        return value;
    }

    @Override
    public String[] getParameterValues(String name) {
        String[] parameterValues = super.getParameterValues(name);
        if (parameterValues == null) {
            return null;
        }
        for (int i = 0; i < parameterValues.length; i++) {
            String value = parameterValues[i];
            parameterValues[i] = StringEscapeUtils.escapeHtml4(value);
        }
        return parameterValues;
    }
}

1.3、创建XssStringJsonSerializer

package cn.vantee.util;

import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.databind.JsonSerializer;
import com.fasterxml.jackson.databind.SerializerProvider;
import org.apache.commons.text.StringEscapeUtils;

import java.io.IOException;

/**
 * @author :rayfoo@qq.com
 * @date :Created in 2022/3/31 16:47
 * @description:xss过滤
 * @modified By:
 * @version: 1.0.0
 */
public class XssStringJsonSerializer extends JsonSerializer<String> {

    @Override
    public Class<String> handledType() {
        return String.class;
    }

    /**
     * 假如有有html 代码是自己传来的  需要设定对应的name 不走StringEscapeUtils.escapeHtml4(value) 过滤
     */
    @Override
    public void serialize(String value, JsonGenerator jsonGenerator, SerializerProvider serializerProvider)
            throws IOException {
        if (value != null) {
            String encodedValue = StringEscapeUtils.escapeHtml4(value);
            jsonGenerator.writeString(encodedValue);
        }
    }

}


1.4、创建过滤器

package cn.vantee.filter;

import cn.vantee.util.XssAndSqlHttpServletRequestWrapper;
import cn.vantee.util.XssStringJsonSerializer;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.module.SimpleModule;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Primary;
import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
import org.springframework.stereotype.Component;

import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

/**
 * @author :rayfoo@qq.com
 * @date :Created in 2022/3/31 10:53
 * @description:xss过滤
 * @modified By:
 * @version: 1.0.0
 */
@WebFilter(filterName = "xssFilter", urlPatterns = "/*", asyncSupported = true)
@Component
public class XssFilter implements Filter {

    @Override
    public void destroy() {
        // TODO Auto-generated method stub

    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        // TODO Auto-generated method stub
        HttpServletRequest req = (HttpServletRequest) request;
        XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(req);
        chain.doFilter(xssRequestWrapper, response);
    }

    @Override
    public void init(FilterConfig arg0) throws ServletException {
        // TODO Auto-generated method stub
    }

    @Bean
    @Primary
    public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {
        // 解析器
        ObjectMapper objectMapper = builder.createXmlMapper(false).build();
        // 注册xss解析器
        SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer");
        xssModule.addSerializer(new XssStringJsonSerializer());
        objectMapper.registerModule(xssModule);
        // 返回
        return objectMapper;
    }
}

@Primary 注解优先走这个Bean方法。
asyncSupported = true 配置支持异步,sync-supported是servlet 3.0后推出的新特性

5、验证

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
    <form action="/test">
        <input type="text" name="params">
        <input type="submit">
    </form>
</body>
</html>
package cn.vantee.controller;

import cn.vantee.service.TestService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

/**
 * @author :rayfoo@qq.com
 * @date :Created in 2022/3/29 14:53
 * @description:测试Controller
 * @modified By:
 * @version: 1.0.0
 */
@RestController
public class TestController {

    @Autowired
    public TestService testService;

    @GetMapping("/test")
    public String test(String params){
      System.out.println(params);
			return params;
    }

}

输入:

<script>hello world</scrpit>

输出:

&lt;script&gt;hello world&lt;/scrpit&gt;

2、设置HttpOnly

2.1、什么是HttpOnly

如果cookie中设置了HttpOnly属性,那么通过js脚本将无法读取到cookie信息,这样能有效的防止XSS攻击,窃取cookie内容,这样就增加了cookie的安全性,即便是这样,也不要将重要信息存入cookie。XSS全称Cross SiteScript,跨站脚本攻击,是Web程序中常见的漏洞,XSS属于被动式且用于客户端的攻击方式,所以容易被忽略其危害性。其原理是攻击者向有XSS漏洞的网站中输入(传入)恶意的HTML代码,当其它用户浏览该网站时,这段HTML代码会自动执行,从而达到攻击的目的。如,盗取用户Cookie、破坏页面结构、重定向到其它网站等。

2.2、如何设置

案例:

response.addHeader("Set-Cookie", "username=123456; Path=/; HttpOnly")

参考:SpringBoot 防御Xss基本攻击之Filter拦截

参考:Cookie中的httponly的属性和作用

posted @ 2022-03-31 17:04  张瑞丰  阅读(2878)  评论(0编辑  收藏  举报