XSS攻击基础防御

迈不过友情╰ 2022-05-29 13:07 237阅读 0赞

XSS攻击听说过，没见过，后来通过查资料了解一点，这篇文章中，主要是针对XSS攻击做一个基本的防御，我也不知道能不能防的住，防不住在加规则，中国式解决问题：哪疼医那。哈哈

由于公司用的是 SpringMVC，因此，这次就主要基于 SpringMVC 来解决这些漏洞。当然，其实这些解决方案都是大同小异，对于什么环境来说根本无所谓。了解了原理，什么环境、什么语言都可以运用自如了。废话就不多说了，直接上解决方案。

1、在web.xml加一个filter

<filter>  
    	     <filter-name>XssSqlFilter</filter-name>  
    	     <filter-class>com.foriseland.fsoa.pay.filter.XssFilter</filter-class>  
    	</filter>  
    	<filter-mapping>  
    	     <filter-name>XssSqlFilter</filter-name>  
    	     <url-pattern>/*</url-pattern>  
    	     <dispatcher>REQUEST</dispatcher>  
    	</filter-mapping>

2、过滤器 XssFilter，现servlet的Filter接口

package com.foriseland.fsoa.pay.filter;
    
    import java.io.IOException;
    
    import javax.servlet.Filter;
    import javax.servlet.FilterChain;
    import javax.servlet.FilterConfig;
    import javax.servlet.ServletException;
    import javax.servlet.ServletRequest;
    import javax.servlet.ServletResponse;
    import javax.servlet.http.HttpServletRequest;
    
    /**
     * @describe xss过滤器
     * @createTime 2018年3月24日 下午3:19:11
     */
    public class XssFilter implements Filter{
    	
    	FilterConfig filterConfig = null;  
    
    	@Override
    	public void init(FilterConfig filterConfig) throws ServletException {  
            this.filterConfig = filterConfig;  
        }  
    
    	@Override
    	 public void doFilter(ServletRequest request, ServletResponse response,  
    	            FilterChain chain) throws IOException, ServletException {  
    	        chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);  
    	    } 
    
    	@Override
    	public void destroy() {  
            this.filterConfig = null;  
        }  
    
    }

3、关键是XssHttpServletRequestWrapper的实现方式，继承servlet的HttpServletRequestWrapper，并重写相应的几个有可能带xss攻击的方法

package com.foriseland.fsoa.pay.filter;
    
    import java.util.regex.Pattern;
    
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletRequestWrapper;
    
    /**
     * @describe 使用 Filter 来过滤浏览器发出的请求，对每个 post 请求的参数过滤一些关键字
     * @createTime 2018年3月24日 下午3:19:26
     */
    public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper{
    	
        public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {  
            super(servletRequest);  
        }  
        
        public String[] getParameterValues(String parameter) {  
          String[] values = super.getParameterValues(parameter);  
          if (values==null)  {  
                      return null;  
              }  
          int count = values.length;  
          String[] encodedValues = new String[count];  
          for (int i = 0; i < count; i++) {  
                     encodedValues[i] = stripXSS(values[i]);  
           }  
          return encodedValues;  
        }  
        
        public String getParameter(String parameter) {  
              String value = super.getParameter(parameter);  
              if (value == null) {  
                     return null;  
                      }  
              return stripXSS(value);  
        }  
        
        public String getHeader(String name) {  
            String value = super.getHeader(name);  
            if (value == null)  
                return null;  
            return stripXSS(value);  
        }  
        
        /**
         * @describe 使用替换策略，换成安全的，例如：< > ' " \ / # & 。
         * @author lc
         * @returnType String
         * @createTime 2018年3月24日 下午3:28:35
         */
        private String cleanXSS(String value) {  
            value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");  
            value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");  
            value = value.replaceAll("'", "& #39;");  
            value = value.replaceAll("eval\\((.*)\\)", "");  
            value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");  
            value = value.replaceAll("script", "");  
            return value;  
        } 
        
        /**
         * @describe 采用 ESAPI library 来防止XSS攻击
         * @author lc
         * @returnType String
         * @createTime 2018年3月24日 下午3:29:01
         */
        private String stripXSS(String value) {
            if (value != null) {
                // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
                // avoid encoded attacks.
                // value = ESAPI.encoder().canonicalize(value);
                // Avoid null characters
                value = value.replaceAll("", "");
                // Avoid anything between script tags
                Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
                value = scriptPattern.matcher(value).replaceAll("");
                // Avoid anything in a src="http://www.yihaomen.com/article/java/..." type of expression
                scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
                value = scriptPattern.matcher(value).replaceAll("");
                scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
                value = scriptPattern.matcher(value).replaceAll("");
                // Remove any lonesome </script> tag
                scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
                value = scriptPattern.matcher(value).replaceAll("");
                // Remove any lonesome <script ...> tag
                scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
                value = scriptPattern.matcher(value).replaceAll("");
                // Avoid eval(...) expressions
                scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
                value = scriptPattern.matcher(value).replaceAll("");
                // Avoid expression(...) expressions
                scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
                value = scriptPattern.matcher(value).replaceAll("");
                // Avoid javascript:... expressions
                scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
                value = scriptPattern.matcher(value).replaceAll("");
                // Avoid vbscript:... expressions
                scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
                value = scriptPattern.matcher(value).replaceAll("");
                // Avoid οnlοad= expressions
                scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
                value = scriptPattern.matcher(value).replaceAll("");
            }
            return value;
        }
        
    }

有不对，测试了不好使的地方不要骂我，你直接用更好更好使的方法来砸死我。哈哈