赞
踩
目录
2.1、SPRINGBOOT XSS过滤插件(MICA-XSS)
XSS攻击又称跨站脚本攻击,通常指利用网页开发时留下的漏洞,通过巧妙的方法注入恶意指令代码到网页,使用户加载并执行攻击者恶意制造的网页程序。这些恶意网页程序通常是JavaScript,但实际上也可以包括Java、 VBScript、ActiveX、 Flash 或者甚至是普通的HTML。攻击成功后,攻击者可能得到包括但不限于更高的权限(如执行一些操作)、私密网页内容、会话和cookie等各种内容。
例如在设计某个表单时,没做相关防XSS攻击的处理。用户通过该表单提交相关恶意代码,浏览器会执行相关的代码,从而发起XSS攻击。如下图:
- <span style="background-color:#fafafa"><span style="color:#000000"><code>XSS攻击具有三类:反射型、存储型和DOM XSS
- </code></span></span>
说明:
https://www.域名.com/index.php?xss=<script>alter(xss攻击)</script>
https://www.域名.com/index.html#alert(xss攻击)
XSS攻击方式很多,这里只介绍一些常用的XSS攻击手段以及其目的,为提出Springboot项目防止XSS攻击解决方案做说明。例如:
盗用cookie,获取敏感信息。
利用植入Flash,通过crossdomain权限设置进一步获取更高权限;或者利用Java等得到类似的操作。
利用iframe、frame、XMLHttpRequest或上述Flash等方式,以(被攻击)用户的身份执行一些管理动作,或执行一些一般的如发微博、加好友、发私信等操作。
利用可被攻击的域受到其他域信任的特点,以受信任来源的身份请求一些平时不允许的操作,如进行不当的投票活动。
在访问量极大的一些页面上的XSS可以攻击一些小型网站,实现DDoS攻击的效果。
许多初级Springboot开发人员经常中此招,最近在测试个人项目时,也出现了这个问题。那么在Springboot项目中,我们该如何防止XSS攻击呢?
通过对XSS攻击的介绍,我们知道了XSS常从表单输入、URL请求、以及Cookie等方面进行攻击。因此,我们可以从如下几个方面进行防止XSS攻击。
其实这些解决方案都不用我们自己去实现,SpringBoot 对应的Maven插件为我们提供了对于的XSS 安全过滤插件:mica-core 和 mica-xss
- <span style="background-color:#fafafa"><span style="color:#000000"><code> 添加Maven依赖后,便已经完成了XSS过滤配置。
- </code></span></span>
mica-xss组件说明:
- <span style="background-color:#fafafa"><span style="color:#000000"><code class="language-java"><span style="color:#dd4a68"><span style="color:#999999"><</span>dependency<span style="color:#999999">></span></span>
- <span style="color:#dd4a68"><span style="color:#999999"><</span>groupId<span style="color:#999999">></span></span>net<span style="color:#999999">.</span>dreamlu<span style="color:#a67f59"><</span><span style="color:#a67f59">/</span>groupId<span style="color:#a67f59">></span>
- <span style="color:#dd4a68"><span style="color:#999999"><</span>artifactId<span style="color:#999999">></span></span>mica<span style="color:#a67f59">-</span>xss<span style="color:#a67f59"><</span><span style="color:#a67f59">/</span>artifactId<span style="color:#a67f59">></span>
- <span style="color:#dd4a68"><span style="color:#999999"><</span>version<span style="color:#999999">></span></span><span style="color:#986801">2.0</span><span style="color:#986801">.9</span><span style="color:#a67f59">-</span>GA<span style="color:#a67f59"><</span><span style="color:#a67f59">/</span>version<span style="color:#a67f59">></span>
- <span style="color:#a67f59"><</span><span style="color:#a67f59">/</span>dependency<span style="color:#a67f59">></span>
- <span style="color:#dd4a68"><span style="color:#999999"><</span>dependency<span style="color:#999999">></span></span>
- <span style="color:#dd4a68"><span style="color:#999999"><</span>groupId<span style="color:#999999">></span></span>net<span style="color:#999999">.</span>dreamlu<span style="color:#a67f59"><</span><span style="color:#a67f59">/</span>groupId<span style="color:#a67f59">></span>
- <span style="color:#dd4a68"><span style="color:#999999"><</span>artifactId<span style="color:#999999">></span></span>mica<span style="color:#a67f59">-</span>core<span style="color:#a67f59"><</span><span style="color:#a67f59">/</span>artifactId<span style="color:#a67f59">></span>
- <span style="color:#dd4a68"><span style="color:#999999"><</span>version<span style="color:#999999">></span></span><span style="color:#986801">2.1</span><span style="color:#986801">.0</span><span style="color:#a67f59">-</span>GA<span style="color:#a67f59"><</span><span style="color:#a67f59">/</span>version<span style="color:#a67f59">></span>
- <span style="color:#a67f59"><</span><span style="color:#a67f59">/</span>dependency<span style="color:#a67f59">></span>
- </code></span></span>
- mica:
- xss:
- enabled: true
- path-exclude-patterns:
- path-patterns: /**
开发工具:IDEA-2020.02 Springboot 2.4.1
测试工具:Google浏览器 Postman
未设置XSS防护:
添加注解@XssCleanIgnore跳过XSS过滤
<span style="background-color:#fafafa"><span style="color:#000000"><code class="language-java"><span style="color:#0077aa">import</span> net<span style="color:#999999">.</span>dreamlu<span style="color:#999999">.</span>mica<span style="color:#999999">.</span>xss<span style="color:#999999">.</span>core<span style="color:#999999">.</span>XssCleanIgnore<span style="color:#999999">;</span> <span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>GetMapping<span style="color:#999999">;</span> <span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>RequestMapping<span style="color:#999999">;</span> <span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>RestController<span style="color:#999999">;</span> <span style="color:#708090">/** * @author dell */</span> <span style="color:#999999">@RestController</span> <span style="color:#999999">@XssCleanIgnore</span> <span style="color:#708090">//设置该注解 用于跳过配置的Xss 防护</span> <span style="color:#999999">@RequestMapping</span><span style="color:#999999">(</span><span style="color:#50a14f">"/"</span><span style="color:#999999">)</span> <span style="color:#0077aa">public</span> <span style="color:#0077aa">class</span> IndexController <span style="color:#999999">{</span> <span style="color:#999999">@GetMapping</span><span style="color:#999999">(</span><span style="color:#50a14f">"/xss"</span><span style="color:#999999">)</span> <span style="color:#0077aa">public</span> String <span style="color:#dd4a68">xssGet</span><span style="color:#999999">(</span>String data<span style="color:#999999">)</span><span style="color:#999999">{</span> System<span style="color:#999999">.</span>out<span style="color:#999999">.</span><span style="color:#dd4a68">println</span><span style="color:#999999">(</span>data<span style="color:#999999">)</span><span style="color:#999999">;</span> <span style="color:#0077aa">return</span> data<span style="color:#999999">;</span> <span style="color:#999999">}</span> <span style="color:#999999">}</span> </code></span></span>
效果如下:
设置XSS防护:
去掉注解 @XssCleanIgnore,返回为空。效果如下
未设置XSS防护:
添加注解@XssCleanIgnore
跳过XSS过滤,返回data数据。
<span style="background-color:#fafafa"><span style="color:#000000"><code class="language-java"><span style="color:#0077aa">import</span> net<span style="color:#999999">.</span>dreamlu<span style="color:#999999">.</span>mica<span style="color:#999999">.</span>xss<span style="color:#999999">.</span>core<span style="color:#999999">.</span>XssCleanIgnore<span style="color:#999999">;</span> <span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>PostMapping<span style="color:#999999">;</span> <span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>RequestMapping<span style="color:#999999">;</span> <span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>RestController<span style="color:#999999">;</span> <span style="color:#708090">/** * @author dell */</span> <span style="color:#999999">@RestController</span> <span style="color:#999999">@XssCleanIgnore</span> <span style="color:#708090">//设置该注解 用于跳过配置的Xss 防护</span> <span style="color:#999999">@RequestMapping</span><span style="color:#999999">(</span><span style="color:#50a14f">"/"</span><span style="color:#999999">)</span> <span style="color:#0077aa">public</span> <span style="color:#0077aa">class</span> IndexController <span style="color:#999999">{</span> <span style="color:#999999">@PostMapping</span><span style="color:#999999">(</span><span style="color:#50a14f">"/xss"</span><span style="color:#999999">)</span> <span style="color:#0077aa">public</span> String <span style="color:#dd4a68">xssPost</span><span style="color:#999999">(</span>String data<span style="color:#999999">)</span><span style="color:#999999">{</span> System<span style="color:#999999">.</span>out<span style="color:#999999">.</span><span style="color:#dd4a68">println</span><span style="color:#999999">(</span>data<span style="color:#999999">)</span><span style="color:#999999">;</span> <span style="color:#0077aa">return</span> data<span style="color:#999999">;</span> <span style="color:#999999">}</span> <span style="color:#999999">}</span> </code></span></span>
效果如下:
设置XSS防护:
去掉注解@XssCleanIgnore
,设置XSS防护,过滤data数据,返回为空。
3.2.2.2、测试POST请求(XSS代码放在 BODY 中)
未设置XSS防护:
<span style="background-color:#fafafa"><span style="color:#000000"><code class="language-java"><span style="color:#0077aa">import</span> net<span style="color:#999999">.</span>dreamlu<span style="color:#999999">.</span>mica<span style="color:#999999">.</span>xss<span style="color:#999999">.</span>core<span style="color:#999999">.</span>XssCleanIgnore<span style="color:#999999">;</span> <span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>PostMapping<span style="color:#999999">;</span> <span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>RequestBody<span style="color:#999999">;</span> <span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>RequestMapping<span style="color:#999999">;</span> <span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>RestController<span style="color:#999999">;</span> <span style="color:#0077aa">import</span> java<span style="color:#999999">.</span>util<span style="color:#999999">.</span>Map<span style="color:#999999">;</span> <span style="color:#708090">/** * @author dell */</span> <span style="color:#999999">@RestController</span> <span style="color:#999999">@XssCleanIgnore</span> <span style="color:#999999">@RequestMapping</span><span style="color:#999999">(</span><span style="color:#50a14f">"/"</span><span style="color:#999999">)</span> <span style="color:#0077aa">public</span> <span style="color:#0077aa">class</span> IndexController <span style="color:#999999">{</span> <span style="color:#999999">@PostMapping</span><span style="color:#999999">(</span><span style="color:#50a14f">"/xss"</span><span style="color:#999999">)</span> <span style="color:#0077aa">public</span> String <span style="color:#dd4a68">xssPostBody</span><span style="color:#999999">(</span><span style="color:#999999">@RequestBody</span> Map<span style="color:#dd4a68"><span style="color:#999999"><</span>String<span style="color:#999999">,</span>String<span style="color:#999999">></span></span> body<span style="color:#999999">)</span><span style="color:#999999">{</span> System<span style="color:#999999">.</span>out<span style="color:#999999">.</span><span style="color:#dd4a68">println</span><span style="color:#999999">(</span>body<span style="color:#999999">)</span><span style="color:#999999">;</span> <span style="color:#0077aa">return</span> body<span style="color:#999999">.</span><span style="color:#dd4a68">get</span><span style="color:#999999">(</span><span style="color:#50a14f">"data"</span><span style="color:#999999">)</span><span style="color:#999999">;</span> <span style="color:#999999">}</span> <span style="color:#999999">}</span> </code></span></span>
效果如下:
设置XSS防护:
如果使用request.getParameter("xss")); 等等ServletRequest原生方法,则是MICA拦截不到的,需要补充下面文章的过滤器,亲测有用,原理就是重写了原生的一些方法.添加过滤.
SpringBoot集成Hutool防止XSS攻击实现_wcybaonier的博客-CSDN博客
说明:
链接:https://gitee.com/596392912/mica/tree/master/mica-xss
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。