ESAPI——预防XSS攻击工具使用简介_esapi xss

XSS：跨站脚本攻击。原理是攻击者向有XSS漏洞的网站中输入恶意的HTML代码，当其它用户浏览该网站时，这段HTML代码会自动执行，从而达到攻击的目的。如，盗取用户Cookie、破坏页面结构、重定向到其它网站等。

最常见的最经典的XSS bug语句：<script>alert(/XSS/)</script> 比如在存在XSS bug的网站的输入框输入前面的语句,当访问网页时会弹出对话框。

...............

本篇文章主要针对最近使用过的防御XSS的小工具——ESAPI，使用的是maven项目；在pom.xml 中加入依赖：

<dependency>
            <groupId>org.owasp.esapi</groupId>
            <artifactId>esapi</artifactId>
            <version>2.1.0</version>
        </dependency>
	  <dependency>
            <groupId>org.jsoup</groupId>
            <artifactId>jsoup</artifactId>
            <version>1.7.3</version>
        </dependency>

在classpath下加入配置文件:validation.properties和ESAPI.properties

编写filter过滤器ManageSecurityFilter类实现 Filter接口，对所有后台请求使用filter过滤，在filter中将request中有隐患的关键字过滤掉。

import java.io.IOException;
import java.util.HashSet;
import java.util.Set;
 
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
 
/**
 * XSS安全过滤器
 *
 * @author wjl
 * @date 2014-4-10 下午2:12:02
 */
public class ManageSecurityFilter implements Filter {
 
	private static final String FILTER_APPLIED = ManageSecurityFilter.class.getName() + ".FILTERED";
 
	private Set<String> excludePathRegex = new HashSet<String>();
 
	public void setExcludePathRegex( Set<String> excludePathRegex ) {
		this.excludePathRegex = excludePathRegex;
	}
 
	@Override
	public void init( FilterConfig filterConfig ) throws ServletException {}
 
	@Override
	public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain ) throws IOException, ServletException {
		if( !( request instanceof HttpServletRequest ) || !( response instanceof HttpServletResponse ) ) {
			throw new ServletException( "XSSFilter just supports HTTP requests" );
		}
		HttpServletRequest httpRequest = ( HttpServletRequest )request;
		String uri = httpRequest.getRequestURI();
		for( String regex : excludePathRegex ) {
			if( uri.matches( regex ) ) {
				chain.doFilter( request, response );
				return;
			}
		}
		// Apply Filter
		if( null != httpRequest.getAttribute( FILTER_APPLIED ) ) {
			chain.doFilter( request, response );
			return;
		}
		try {
			request.setAttribute( FILTER_APPLIED, Boolean.TRUE );
			SecurityRequestWrapper requestWrapper = new SecurityRequestWrapper( httpRequest );
			chain.doFilter( requestWrapper, response );
		} finally {
			httpRequest.removeAttribute( FILTER_APPLIED );
		}
	}
 
	@Override
	public void destroy() {}
}

在编写 使用了ESAPI的类SecurityRequestWrapper

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
 
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document.OutputSettings;
import org.jsoup.safety.Whitelist;
import org.owasp.esapi.ESAPI;
 
public class SecurityRequestWrapper extends HttpServletRequestWrapper {
 
	private final static Whitelist WHITELIST = Whitelist.relaxed();
 
	private final static OutputSettings OUTPUTSETTINGS = new OutputSettings().prettyPrint( false );
 
	static {
		WHITELIST.addTags( "embed", "object", "param", "span", "div", "img" );
		WHITELIST.addAttributes( ":all", "style", "class", "id", "name" );
		WHITELIST.addAttributes( "object", "width", "height", "classid", "codebase" );
		WHITELIST.addAttributes( "param", "name", "value" );
		WHITELIST.addAttributes( "embed", "src", "quality", "width", "height", "allowFullScreen",
				"allowScriptAccess", "flashvars", "name", "type", "pluginspage" );
	}
 
	public SecurityRequestWrapper( HttpServletRequest servletRequest ) {
		super( servletRequest );
	}
 
	@Override
	public String[] getParameterValues( String parameter ) {
		String[] values = super.getParameterValues( parameter );
		if( null == values ) {
			return null;
		}
		int count = values.length;
		String[] encodedValues = new String[ count ];
		for( int i = 0; i < count; i++ ) {
			encodedValues[ i ] = filterValue( values[ i ] );
		}
		return encodedValues;
	}
 
	@Override
	public String getParameter( String parameter ) {
		String value = super.getParameter( parameter );
		return filterValue( value );
	}
 
	@Override
	public String getHeader( String name ) {
		String value = super.getHeader( name );
		return filterValue( value );
	}
 
	private String filterValue( String value ) {
		if( null != value ) {
			// avoid encoded attacks.
			value = ESAPI.encoder().canonicalize( value );
 
			// Avoid null characters
			value = value.replaceAll( "\0", "" );
			value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
		    value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
		    value = value.replaceAll("'", "& #39;");
		    value = value.replaceAll("eval\\((.*)\\)", "");
		    value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
		    value = value.replaceAll("script", "");
			// Clean out HTML
			value = Jsoup.clean( value, "", WHITELIST, OUTPUTSETTINGS );
		}
		return value;
	}
 
}

配置web.xml文件，在web.xml文件中加入：

<filter>
		<filter-name>manageSecurityFilter</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>manageSecurityFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

配置spring配置文件，在servelt的配置文件中加入：

<!-- Security的beans -->
	<bean id="manageSecurityFilter" class="com.baidu.disconf.web.security.ManageSecurityFilter">
		<property name="excludePathRegex">
			<set>
				<value>/console/compass/manage.*</value>
				<value>/console/coupon/.*</value>
				<value>/console/customize/block/.*</value>
				<value>/console/review/.*</value>
				<value>/console/ripple/.*</value>
				<value>/console/wdjcraw/.*</value>
				<value>/console/audit/reason/.*</value>
				<value>/console/audit/.*</value>
			</set>
		</property>
	</bean>