devbox
知新_RL
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

字符过滤器和防止XSS攻击,SQL注入的过滤器_以下哪些字符都需要在防sql注入与xss攻击时过滤

作者:知新_RL | 2024-03-20 01:43:23

以下哪些字符都需要在防sql注入与xss攻击时过滤

1.字符过滤器

public class CharacterEncodingFilter implements Filter
{
  private String encoding;
  private boolean forceEncoding = false;

  public void setEncoding(String encoding) {
    this.encoding = encoding;
  }

  public void setForceEncoding(boolean forceEncoding) {
    this.forceEncoding = forceEncoding;
  }

  public void destroy()
  {
  }

  public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
    throws IOException, ServletException
  {
    if ((this.encoding != null) && ((this.forceEncoding) || (request.getCharacterEncoding() == null)))
    {
      request.setCharacterEncoding(this.encoding);
      if (this.forceEncoding) {
        response.setCharacterEncoding(this.encoding);
      }
    }
    filterChain.doFilter(request, response);
  }

  public void init(FilterConfig filterConfig) throws ServletException
  {
    this.encoding = filterConfig.getInitParameter("encoding");
    String value = filterConfig.getInitParameter("forceEncoding");
    if ("true".equalsIgnoreCase(value))
      this.forceEncoding = true;
  }
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38

web.xml的配置

<filter>
      <filter-name>CharacterEncoding</filter-name>
      <filter-class>CharacterEncodingFilter</filter-class>
      <init-param>
         <param-name>encoding</param-name>
         <param-value>GBK</param-value>
      </init-param>
      <init-param>
         <param-name>forceEncoding</param-name>
         <param-value>true</param-value>
      </init-param>
   </filter>
   <filter-mapping>
      <filter-name>CharacterEncoding</filter-name>
      <url-pattern>/*</url-pattern>
    </filter>

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17

2.XSS攻击和SQL注入的过滤器

public class XSSFilter implements Filter
{
  private String error_url;
  private Logger logger = YGLogger.getLogger("xss.trc");

  private String[] invalidCharacters = { ">", "<", "'", "\"", "&", "\\", "#" };

  private String[] invalidUrlCharacters = { ">", "<", "'", "\"", "&", "\\", "#" };

  private String[] excludeUrl = null;

  public void init(FilterConfig filterConfig) throws ServletException
  {
    String fileName = filterConfig.getInitParameter("config");
    if (fileName == null)
    {
      return;
    }
    InputStream is = filterConfig.getServletContext().getResourceAsStream(fileName);
    Properties props = new Properties();
    try {
      props.load(is);
    } catch (IOException e) {
      throw new ServletException("load file:" + fileName + " failure", e);
    } finally {
      IOUtils.closeQuietly(is);
    }
    String tmp = props.getProperty("invalid_character");
    if (tmp != null) {
      this.invalidCharacters = StringUtils.split(tmp, ", ");
    }
    tmp = props.getProperty("invalid_url_character");
    if (tmp != null) {
      this.invalidUrlCharacters = StringUtils.split(tmp, ", ");
    }

    tmp = props.getProperty("exclude_url");
    if (tmp != null) {
      this.excludeUrl = StringUtils.split(tmp, ",");
    }

    this.error_url = props.getProperty("error_url");
    if (this.error_url == null)
      throw new ServletException("xss error_url not config");
  }

  public void destroy()
  {
  }

  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
    throws IOException, ServletException
  {
    HttpServletRequest httpRequest = (HttpServletRequest)request;
    String url = httpRequest.getRequestURL().toString();
    boolean flag = false;
    if (this.excludeUrl != null) {
      for (String s : this.excludeUrl) {
        if (url.indexOf(s) != -1) {
          flag = true;
          break;
        }
      }
    }
    if (flag) {
      chain.doFilter(request, response);
      return;
    }

    if (isContainsXssChar(url)) {
      this.logger.info("request url:[" + url + "] contains xss character");
      httpRequest.getRequestDispatcher(this.error_url).forward(request, response);
      return;
    }

    Enumeration en = httpRequest.getParameterNames();
    while (en.hasMoreElements()) {
      String name = (String)en.nextElement();
      String[] values = httpRequest.getParameterValues(name);
      for (String value : values) {
        if (isContainsXss2Char(value)) {
          this.logger.info("request url:[" + url + "],parameter:[" + name + "=" + value + "] contains xss character");

          httpRequest.getRequestDispatcher(this.error_url).forward(request, response);

          return;
        }
      }
    }

    chain.doFilter(request, response);
  }

  private boolean isContainsXssChar(String s) {
    if ((s == null) || (s.equals("")) || (isBase64Str(s))) {
      return false;
    }

    for (int i = 0; i < s.length(); i++) {
      char c = s.charAt(i);
      for (String c1 : this.invalidUrlCharacters) {
        if (c1.charAt(0) == c) {
          return true;
        }
      }
    }
    return false;
  }

  public static boolean isBase64Str(String value) {
    if (value == null) {
      return true;
    }
    if (value.length() % 4 != 0) {
      return false;
    }

    for (int i = 0; i < value.length(); i++) {
      char c = value.charAt(i);
      if ((c < 'A') && (c > 'Z') && (c < 'a') && (c > 'z') && (c < '0') && (c > '9') && (c != '+') && (c != '/') && (c != '='))
      {
        return false;
      }
    }
    return true;
  }
  private boolean isContainsXss2Char(String s) {
    if ((s == null) || (s.equals(""))) {
      return false;
    }
    for (String c1 : this.invalidCharacters) {
      if (s.indexOf(c1) != -1) {
        return true;
      }
    }
    return false;
  }
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138

web.xml配置

<filter>
        <filter-name>XSSFilter</filter-name>
        <filter-class>com.yuangou.ecp.bp.web.controller.filter.XSSFilter</filter-class>
        <init-param>
            <param-name>config</param-name>
            <param-value>/WEB-INF/conf/xss_config.properties</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>XSSFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12

xss_config.properties

#拦截参数
invalid_character=>,<,',",&,#,:,%,--,/*,*/,',;,net localgroup administrators,net user,exec master,select,update,insert,delete,or,and,from,truncate,drop,xp_cmdshell
#拦截url
invalid_url_character=>,<,',",\,#
#排除的url
exclude_url=/login.do
#错误url
error_url=/xss.jsp
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
本文内容由网友自发贡献,转载请注明出处:【wpsshop博客】
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号