热门标签
热门文章
- 1dubbo的@Reference注解作用分析_@dubboreference
- 2Android13源码下载及全编译流程_android源码下载
- 3银河麒麟鲲鹏aarch64架构安装docker和K8s_aarch64 doket
- 4渗透测试常用反弹shell方法(如何渗透测试反弹shell?)-Windows篇(゚益゚メ) 渗透测试_powershell反弹shell
- 5ThinkPHP下访问www.xxx.com访问成功www.xxx.com/后加上index、admin等报错
- 6实现单例模式时synchronized的必要性_单例模式静态工厂访问为什么要加synchronized
- 7基于Java+SpringBoot+Vue+uniapp微信小程序实现仓储管理系统_java+ 微信小程序物资管理系统
- 8SQLMAP脚本-sql-labs-Less-26-27a_a71脚本
- 9springboot + dubbo + nacos + seata 快速集成_spring boot 整合seata saga模式
- 10JNI DETECTED ERROR IN APPLICATION: can‘t call void com.example.myjnidemo.LameUtils.setConvertProgres_qt jni detected error in application: jni getmetho
当前位置: article > 正文
Java防止XSS攻击_xss java
作者:Cpp五条 | 2024-02-27 06:07:57
赞
踩
xss java
方法一:转义存储:添加XssFilter 1.在web.xml添加过滤器:
- <!-- 解决xss漏洞 -->
- <filter>
- <filter-name>xssFilter</filter-name>
- <filter-class>XXXXXX.XssFilter</filter-class>
- </filter>
- <!-- 解决xss漏洞 -->
- <filter-mapping>
- <filter-name>xssFilter</filter-name>
- <url-pattern>*</url-pattern>
- </filter-mapping>
2.添加XssFilter
- public class XssFilter implements Filter{
-
- @Override
- public void init(FilterConfig filterConfig) {
-
- }
-
- @Override
- public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
- //使用包装器
- XssFilterWrapper xssFilterWrapper=new XssFilterWrapper((HttpServletRequest) servletRequest);
- filterChain.doFilter(xssFilterWrapper,servletResponse);
- }
-
- @Override
- public void destroy() {
-
- }
- }
3、添加 XssFilterWrapper.java类
- public class XssFilterWrapper extends HttpServletRequestWrapper {
-
-
- public XssFilterWrapper(HttpServletRequest request) {
- super(request);
- }
-
- @Override
- public String getHeader(String name) {
- return StringEscapeUtils.escapeHtml4(super.getHeader(name));
- }
-
- @Override
- public String getQueryString() {
- return StringEscapeUtils.escapeHtml4(super.getQueryString());
- }
-
- @Override
- public String getParameter(String name) {
- return StringEscapeUtils.escapeHtml4(super.getParameter(name));
- }
-
- @Override
- public String[] getParameterValues(String name) {
- String[] values = super.getParameterValues(name);
- if(values != null) {
- int length = values.length;
- String[] escapseValues = new String[length];
- for(int i = 0; i < length; i++){
- escapseValues[i] = StringEscapeUtils.escapeHtml4(values[i]);
- }
- return escapseValues;
- }
- return super.getParameterValues(name);
- }
-
- }
自此,即能实现,
假如在网站的文本框输入<script>alert("OK");</script>,
提交到数据库后保存的数据为:<script>alert("OK");</script>
方法二、
1.添加XssFilter ,(同上)
2..添加XssHttpServletRequestWrapper.java类
- import java.io.BufferedReader;
- import java.io.ByteArrayInputStream;
- import java.io.IOException;
- import java.io.InputStream;
- import java.io.InputStreamReader;
- import java.nio.charset.Charset;
- import java.util.HashMap;
- import java.util.Map;
- import java.util.regex.Pattern;
-
- import javax.servlet.ReadListener;
- import javax.servlet.ServletInputStream;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletRequestWrapper;
-
- import org.apache.commons.lang.StringUtils;
-
- import com.alibaba.fastjson.JSON;
-
- public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
- /**
- * Constructs a request object wrapping the given request.
- *
- * @param request The request to wrap
- * @throws IllegalArgumentException if the request is null
- */
- public XssHttpServletRequestWrapper(HttpServletRequest request) {
- super(request);
- }
-
- @Override
- public String getHeader(String name) {
- String value = super.getHeader(name);
- if(StringUtils.isEmpty(value)){
- return value;
- }
- else{
- return cleanXSS(value);
- }
-
- }
-
- @Override
- public String getParameter(String name) {
- String value = super.getParameter(name);
- if(StringUtils.isEmpty(value)){
- return value;
- }
- else{
- return cleanXSS(value);
- }
- }
-
- @Override
- public String[] getParameterValues(String name) {
- String[] values = super.getParameterValues(name);
- if (values != null) {
- int length = values.length;
- String[] escapseValues = new String[length];
- for (int i = 0; i < length; i++) {
- escapseValues[i] = cleanXSS(values[i]);
- }
- return escapseValues;
- }
- return super.getParameterValues(name);
- }
-
- @Override
- public ServletInputStream getInputStream() throws IOException {
- String str=getRequestBody(super.getInputStream());
- Map<String,Object> map= JSON.parseObject(str,Map.class);
- Map<String,Object> resultMap=new HashMap<>();
- for(String key:map.keySet()){
- Object val=map.get(key);
- if(map.get(key) instanceof String){
- resultMap.put(key,cleanXSS(val.toString()));
- }
- else{
- resultMap.put(key,val);
- }
-
- }
- str=JSON.toJSONString(resultMap);
- final ByteArrayInputStream bais = new ByteArrayInputStream(str.getBytes());
-
- return new ServletInputStream() {
-
- @Override
- public int read() throws IOException {
- return bais.read();
- }
-
- @Override
- public boolean isFinished() {
- return false;
- }
-
- @Override
- public boolean isReady() {
- return false;
- }
-
- @Override
- public void setReadListener(ReadListener listener) {
-
- }
- };
- }
-
- private String getRequestBody(InputStream stream) {
- String line = "";
- StringBuilder body = new StringBuilder();
- int counter = 0;
-
- // 读取POST提交的数据内容
- BufferedReader reader = new BufferedReader(new InputStreamReader(stream, Charset.forName("UTF-8")));
- try {
- while ((line = reader.readLine()) != null) {
-
- body.append(line);
- counter++;
- }
- } catch (IOException e) {
- e.printStackTrace();
- }
-
- return body.toString();
- }
- private String cleanXSS(String value) {
- if(StringUtils.isEmpty(value)){
- return value;
- }
- else{
- if (value != null) {
- if (value != null) {
- // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
- // avoid encoded attacks.
- // value = ESAPI.encoder().canonicalize(value);
- // Avoid null characters
- value = value.replaceAll("", "");
- // Avoid anything between script tags
- Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
- value = scriptPattern.matcher(value).replaceAll("");
- // Avoid anything in a src="http://www.yihaomen.com/article/java/..." type of expression
- // 会误伤百度富文本编辑器
- // scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- // value = scriptPattern.matcher(value).replaceAll("");
- // scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- // value = scriptPattern.matcher(value).replaceAll("");
- // Remove any lonesome </script> tag
- scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
- value = scriptPattern.matcher(value).replaceAll("");
- // Remove any lonesome <script ...> tag
- scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- value = scriptPattern.matcher(value).replaceAll("");
- // Avoid eval(...) expressions
- scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- value = scriptPattern.matcher(value).replaceAll("");
- // Avoid expression(...) expressions
- scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- value = scriptPattern.matcher(value).replaceAll("");
- // Avoid javascript:... expressions
- scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
- value = scriptPattern.matcher(value).replaceAll("");
- // Avoid vbscript:... expressions
- scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
- value = scriptPattern.matcher(value).replaceAll("");
- // Avoid onload= expressions
- scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- value = scriptPattern.matcher(value).replaceAll("");
- }
- }
- return value;
- }
- }
- }
两种方法,原理一致只是写法不一样,
第二种写法保存到数据库为:scriptalert("OK");/script
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/Cpp五条/article/detail/150601
推荐阅读
相关标签
