-
XSS攻击和跨站脚本安全漏洞防护
1、存储型XSS
指应用程序通过Web请求获取不可信赖的数据,并且在未检验数据是否存在XSS代码的情况下,将其存入数据库。当程序下一次从数据库中获取该数据时,致使页面再次执行XSS代码。存储型XSS可以持续攻击用户,在用户提交了包含XSS代码的数据存储到数据库后,每当用户在浏览网页查询对应数据库中的数据时,那些包含XSS代码的数据就会在服务器解析并加载,当浏览器读到XSS代码后,会当做正常的HTML和JS解析并执行,于是发生存储型XSS攻击。
**例如**:下面JSP代码片段的功能是根据一个已知用户雇员ID(id)从数据库中查询出该用户的地址,并显示在JSP页面上 。
- ```java
- <%
- ...
- Statement stmt = conn.createStatement();
- ResultSet rs = stmt.executeQuery("select * from users where id =" + id);
- String address = null;
- if (rs != null) {
- rs.next();
- address = rs.getString("address");
- }
- %>
- 家庭地址: <%= address %>
- ```
如果address的值是由用户提供的,且存入数据库时没有进行合理的校验,那么攻击者就可以利用上面的代码进行存储型XSS攻击。
2、反射型XSS
指应用程序通过Web请求获取不可信赖的数据,并在未检验数据是否存在恶意代码的情况下,将其发送给用户。反射型XSS一般可以由攻击者构造带有恶意代码参数的URL来实现,在构造的URL地址被打开后,其中包含的恶意代码参数被浏览器解析和执行。这种攻击的特点是非持久化,必须用户点击包含恶意代码参数的链接时才会触发。
**例如**:下面JSP代码片段的功能是从HTTP请求中读取输入的用户名(username)并显示到页面。
- ```java
- <%
- String name= request.getParameter("username"); %>
- ...
- 姓名: <%= name%>
- ...
- ```
如果name里有包含恶意代码,那么Web浏览器就会像显示HTTP响应那样执行该代码,应用程序将受到反射型XSS攻击。
3、防范建议
为了避免存储型XSS攻击,建议采用以下方式进行防御:
1.对从数据库或其它后端数据存储获取不可信赖的数据进行合理验证(如年龄只能是数字),对特殊字符(如`<、>、'、"`以及`", Pattern.CASE_INSENSITIVE);
- public static Pattern scriptPattern2 = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- public static Pattern scriptPattern3 = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- public static Pattern scriptPattern4 = Pattern.compile("", Pattern.CASE_INSENSITIVE);
- public static Pattern scriptPattern5 = Pattern.compile("
- public static Pattern scriptPattern6 = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- public static Pattern scriptPattern7 = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- public static Pattern scriptPattern8 = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
- public static Pattern scriptPattern9 = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
- public static Pattern scriptPattern10 = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- public static Pattern scriptPattern11 = Pattern.compile(".*<.*", Pattern.CASE_INSENSITIVE );
- public static String striptXSS(String value) {
- if (value != null) {
- value = value.replaceAll("", "");
- value = scriptPattern1.matcher(value).replaceAll("");
- value = scriptPattern2.matcher(value).replaceAll("");
- value = scriptPattern3.matcher(value).replaceAll("");
- value = scriptPattern4.matcher(value).replaceAll("");
- value = scriptPattern5.matcher(value).replaceAll("");
- value = scriptPattern6.matcher(value).replaceAll("");
- value = scriptPattern7.matcher(value).replaceAll("");
- value = scriptPattern8.matcher(value).replaceAll("");
- value = scriptPattern9.matcher(value).replaceAll("");
- value = scriptPattern10.matcher(value).replaceAll("");
- value = scriptPattern11.matcher(value).replaceAll("");
- }
- return value;
- }
- }
2、请求过滤业务实现类
- package com.hlframe.modules.frame.interceptor;
- import java.util.HashMap;
- import java.util.Iterator;
- import java.util.Map;
- import java.util.Set;
-
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletRequestWrapper;
-
- import com.hlframe.modules.frame.utils.XSSUtils;
- import org.springframework.util.StringUtils;
- import org.springframework.web.multipart.MultipartHttpServletRequest;
- import org.springframework.web.multipart.commons.CommonsMultipartResolver;
-
- /**
- * 请求过滤业务实现类
- */
- public class XssRequestWrappers extends HttpServletRequestWrapper{
-
- private CommonsMultipartResolver multiparResolver = new CommonsMultipartResolver();
-
- public XssRequestWrappers(HttpServletRequest request) {
- super(request);
-
- String type = request.getHeader("Content-Type");
- if (!StringUtils.isEmpty(type) && type.contains("multipart/form-data")) {
- MultipartHttpServletRequest multipartHttpServletRequest = multiparResolver.resolveMultipart(request);
- Map
stringMap = multipartHttpServletRequest.getParameterMap(); - if (!stringMap.isEmpty()) {
- for (String key : stringMap.keySet()) {
- String value = multipartHttpServletRequest.getParameter(key);
- XSSUtils.striptXSS(key);
- XSSUtils.striptXSS(value);
- }
- }
- super.setRequest(multipartHttpServletRequest);
- }
- }
-
- @Override
- public String[] getParameterValues(String parameter) {
- String[] values = super.getParameterValues(parameter);
- if (values == null) {
- return null;
- }
- int count = values.length;
- String[] encodedValues = new String[count];
- for (int i = 0; i < count; i++) {
- encodedValues[i] = XSSUtils.striptXSS(values[i]);
- }
- return encodedValues;
- }
-
- @Override
- public String getParameter(String parameter) {
- String value = super.getParameter(parameter);
- return XSSUtils.striptXSS(value);
- }
-
- @Override
- public String getHeader(String name) {
- String value = super.getHeader(name);
- return XSSUtils.striptXSS(value);
- }
-
- @Override
- public Map
getParameterMap() { - Map
map1 = super.getParameterMap(); - Map
escapseMap = new HashMap(); - Set
keys = map1.keySet(); - for (String key : keys) {
- String[] valArr = map1.get(key);
- if (valArr != null && valArr.length > 0) {
- String[] escapseValArr = new String[valArr.length];
- for (int i = 0; i < valArr.length; i++) {
- String escapseVal = XSSUtils.striptXSS(valArr[i]);
- escapseValArr[i] = escapseVal;
- }
- escapseMap.put(key, escapseValArr);
- }
- }
-
- return escapseMap;
- }
-
- }
3、XSSFilter拦截类
- package com.hlframe.modules.frame.interceptor;
- import com.hlframe.modules.frame.utils.XSSUtils;
- import org.springframework.stereotype.Component;
-
- import java.io.IOException;
-
- import javax.servlet.*;
- import javax.servlet.annotation.WebFilter;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
-
- /**
- * 存储型XSS、跨站脚本过滤器
- * @author zyw
- * @since 2022-09-01 20:09:31
- */
- @Component
- @WebFilter(filterName = "XSSFilter",
- /**
- * 通配符(*)表示对所有的web资源进行拦截
- */
- urlPatterns = "/*"
- )
- public class XSSFilter implements Filter {
- @Override
- public void init(FilterConfig arg0) throws ServletException {
- System.out.println("初始化过滤器!");
- }
-
- @Override
- public void destroy() {
- System.out.println("销毁过滤器!");
- }
-
- @Override
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
- throws IOException, ServletException {
- //过滤请求
- // chain.doFilter(new XssRequestWrappers((HttpServletRequest) request), response);
-
- //过滤返回
- ResponseWrapper wrapperResponse = new ResponseWrapper((HttpServletResponse)response);//转换成代理类
-
- chain.doFilter(new XssRequestWrappers((HttpServletRequest) request), wrapperResponse);
- byte[] content = wrapperResponse.getContent();//获取返回值
- //判断是否有值
- if (content.length > 0)
- {
-
- String str = new String(content, "UTF-8");
- System.out.println("返回值:" + str);
- String ciphertext = null;
-
- try
- {
- System.out.println("str = " + str);
- //......根据需要处理返回值
- ciphertext = XSSUtils.striptXSS(str);
- System.out.println("ciphertext = " + ciphertext);
-
-
- }
- catch (Exception e)
- {
- e.printStackTrace();
- }
- //把返回值输出到客户端
- ServletOutputStream out = response.getOutputStream();
- out.write(ciphertext.getBytes());
- out.flush();
- }
- }
-
- }
4、返回值输出代理类
- /**
- * 返回值输出代理类
- *
- * @Title: ResponseWrapper
- * @Description:
- * @author zyw
- * @date 9:52:11
- */
- public class ResponseWrapper extends HttpServletResponseWrapper {
- private ByteArrayOutputStream buffer;
-
- private ServletOutputStream out;
-
- public ResponseWrapper(HttpServletResponse httpServletResponse)
- {
- super(httpServletResponse);
- buffer = new ByteArrayOutputStream();
- out = new WrapperOutputStream(buffer);
- }
-
- @Override
- public ServletOutputStream getOutputStream()
- throws IOException
- {
- return out;
- }
-
- @Override
- public void flushBuffer()
- throws IOException
- {
- if (out != null)
- {
- out.flush();
- }
- }
-
- public byte[] getContent()
- throws IOException
- {
- flushBuffer();
- return buffer.toByteArray();
- }
-
- class WrapperOutputStream extends ServletOutputStream
- {
- private ByteArrayOutputStream bos;
-
- public WrapperOutputStream(ByteArrayOutputStream bos)
- {
- this.bos = bos;
- }
-
- @Override
- public void write(int b)
- throws IOException
- {
- bos.write(b);
- }
-
- @Override
- public boolean isReady()
- {
-
- // TODO Auto-generated method stub
- return false;
-
- }
-
- @Override
- public void setWriteListener(WriteListener arg0)
- {
-
- // TODO Auto-generated method stub
-
- }
- }
注意:SpingBoot3.0.0之前旧版本不支持通过正则表达式对响应进行过滤
此时可以通过String类中的各种方法直接对响应或请求中的内容进行修改
- package com.hlframe.modules.frame.utils;
-
- import java.util.regex.Pattern;
-
- /**
- * 跨站脚本和存储型XSS攻击防御工具类
- * @author zyw
- * @date 16:52:11
- */
- public class XSSUtils {
-
- public static String striptXSS(String value) {
- if (value != null) {
-
- value = value.replaceAll("", "");
- value = value.replace('<',' ');
- value = value.replace('>',' ');
-
- }
-
- return value;
- }
-
-
- }
python提效小工具-统计xmind用例数量
glibc: strlcpy
29.STM32红外遥控器
应用层协议——DNS、DHCP、HTTP、FTP
如何制作网页 ico
ESP8266-Arduino编程实例-ADXL345三轴加速计驱动
基于开源流批一体数据同步引擎ChunJun数据还原—DDL解析模块的实战分享
Day 66 二叉树 排序
这几个小妙招让你学会如何压缩图片大小