热门标签
热门文章
- 1GEE入门学习,遥感云大数据分析、管理与可视化以及在林业应用丨灾害、水体与湿地领域应用丨GPT模型应用
- 2OK6410开发环境的搭建_ok6410开发板引导设置
- 3Neovim开发环境搭建(2021.07.01)_neovim 远程开发
- 4Android自适应屏幕大小和layout布局(横屏|竖屏)_安卓横屏图片会自动缩小放大吗?
- 5调用MapReduce对文件中各个单词出现的次数进行统计_mapreduce统计单词出现次数
- 6ChatGPT最强对手Claude使用教程_chatgpt对手
- 7c++实现对图像数据的读写_c++读取图片
- 8【计算机视觉 | 目标检测】OVD:Open-Vocabulary Object Detection 论文工作总结(共八篇)_ovr-cnn
- 9『GDAL』读写TIFF文件_gdal读取tif
- 10动图轻松理解Self-Attention(自注意力机制)_self attention
当前位置: article > 正文
XSS安全漏洞修复解决方案_xss修复建议
作者:羊村懒王 | 2024-03-30 02:09:16
赞
踩
xss修复建议
背景:等保测评公司针对我系统进行了一次渗透测试,并发现存在XSS漏洞,现记录修复过程。
框架:SSM。
全站XSS:
漏洞风险等级:中危
涉及页面:全站存在内容输入处
漏洞描述:所有模块可以修改内容处存在XSS,填入恶意代码后触发。
修复建议:过滤所有输入内容。(防止恶意弹窗/跨站脚本/过滤敏感字符/违法信息等)
解决方案
列举方案1:写个DispatcherServlet
- import javax.servlet.http.HttpServletRequest;
-
- import org.springframework.stereotype.Controller;
- import org.springframework.web.method.HandlerMethod;
- import org.springframework.web.servlet.DispatcherServlet;
- import org.springframework.web.servlet.HandlerExecutionChain;
-
- @SuppressWarnings("serial")
- public class DispatcherServletWrapper extends DispatcherServlet {
-
- @Override
- protected HandlerExecutionChain getHandler(HttpServletRequest request) throws Exception {
- HandlerExecutionChain chain = super.getHandler(request);
- Object handler = chain.getHandler();
- if (!(handler instanceof HandlerMethod)) {
- return chain;
- }
-
- HandlerMethod hm = (HandlerMethod)handler;
- if (!hm.getBeanType().isAnnotationPresent(Controller.class)) {
- return chain;
- }
-
- //仅处理@Controller注解的Bean
- return new HandlerExecutionChainWrapper(chain,request,getWebApplicationContext());
- }
-
- }
在getHandler中返回HandlerExecutionChainWrapper
- import java.lang.reflect.Field;
- import java.lang.reflect.Method;
- import java.util.ArrayList;
- import java.util.List;
-
- import javax.servlet.http.HttpServletRequest;
-
- import org.springframework.beans.factory.BeanFactory;
- import org.springframework.cglib.proxy.Enhancer;
- import org.springframework.cglib.proxy.MethodInterceptor;
- import org.springframework.cglib.proxy.MethodProxy;
- import org.springframework.util.ReflectionUtils;
- import org.springframework.util.ReflectionUtils.FieldCallback;
- import org.springframework.util.ReflectionUtils.FieldFilter;
- import org.springframework.web.method.HandlerMethod;
- import org.springframework.web.servlet.HandlerExecutionChain;
- import org.springframework.web.util.HtmlUtils;
-
- public class HandlerExecutionChainWrapper extends HandlerExecutionChain {
-
- private BeanFactory beanFactory;
- private HttpServletRequest request;
- private HandlerMethod handlerWrapper;
- private byte[] lock = new byte[0];
-
- public HandlerExecutionChainWrapper(HandlerExecutionChain chain,
- HttpServletRequest request,
- BeanFactory beanFactory) {
- super(chain.getHandler(),chain.getInterceptors());
- this.request = request;
- this.beanFactory = beanFactory;
- }
-
- @Override
- public Object getHandler() {
- if (handlerWrapper != null) {
- return handlerWrapper;
- }
-
- synchronized (lock) {
- if (handlerWrapper != null) {
- return handlerWrapper;
- }
- HandlerMethod superMethodHandler = (HandlerMethod)super.getHandler();
- Object proxyBean = createProxyBean(superMethodHandler);
- handlerWrapper = new HandlerMethod(proxyBean,superMethodHandler.getMethod());
- return handlerWrapper;
- }
-
- }
-
- /**
- * 为Controller Bean创建一个代理实例,以便用于 实现调用真实Controller Bean前的切面拦截
- * 用以过滤方法参数中可能的XSS注入
- * @param handler
- * @return
- */
- private Object createProxyBean(HandlerMethod handler) {
- try {
- Enhancer enhancer = new Enhancer();
- enhancer.setSuperclass(handler.getBeanType());
- Object bean = handler.getBean();
- if (bean instanceof String) {
- bean = beanFactory.getBean((String)bean);
- }
- ControllerXssInterceptor xss = new ControllerXssInterceptor(bean);
- xss.setRequest(this.request);
- enhancer.setCallback(xss);
- return enhancer.create();
- }catch(Exception e) {
- throw new IllegalStateException("为Controller创建代理失败:"+e.getMessage(), e);
- }
- }
-
-
- public static class ControllerXssInterceptor implements MethodInterceptor {
-
- private Object target;
- private HttpServletRequest request;
- private List<String> objectMatchPackages;
-
- public ControllerXssInterceptor(Object target) {
- this.target = target;
- this.objectMatchPackages = new ArrayList<String>();
- this.objectMatchPackages.add("com.jwell");
- }
-
- public void setRequest(HttpServletRequest request) {
- this.request = request;
- }
-
-
- @Override
- public Object intercept(Object obj, Method method, Object[] args,
- MethodProxy proxy)
- throws Throwable {
-
- //对Controller的方法参数进行调用前处理
- //过滤String类型参数中可能存在的XSS注入
- if (args != null) {
- for (int i=0;i<args.length;i++) {
- if (args[i]==null)
- continue;
-
- if (args[i] instanceof String) {
- args[i] = stringXssReplace((String)args[i]);
- continue;
- }
-
- for(String pk:objectMatchPackages) {
- if (args[i].getClass().getName().startsWith(pk)) {
- objectXssReplace(args[i]);
- break;
- }
- }
- }
- }
- return method.invoke(target, args);
- }
-
- private String stringXssReplace(String argument) {
- return HtmlUtils.htmlEscape(argument);
- }
-
- private void objectXssReplace(final Object argument) {
- if (argument == null)
- return;
-
- ReflectionUtils.doWithFields(argument.getClass(), new FieldCallback(){
-
- @Override
- public void doWith(Field field) throws IllegalArgumentException, IllegalAccessException {
- ReflectionUtils.makeAccessible(field);
- String fv = (String)field.get(argument);
- if (fv != null) {
- String nv = HtmlUtils.htmlEscape(fv);
- field.set(argument, nv);
- }
- }
-
- }, new FieldFilter(){
-
- @Override
- public boolean matches(Field field) {
- boolean typeMatch = String.class.equals(field.getType());
-
- if (request!=null && "GET".equals(request.getMethod())) {
- boolean requMatch = request.getParameterMap().containsKey(field.getName());
- return typeMatch && requMatch;
- }
-
- return typeMatch;
- }
-
- });
- }
- }
web.xml 替换DispatcherServlet
- <!--将org.springframework.web.servlet.DispatcherServlet替换成自己的DispatcherServletWrapper -->
- <servlet>
- <servlet-name>SpringMVC</servlet-name>
- <!--安全测试 -->
- <!-- <servlet-class>com.xx.xx.bmms.web.filter.DispatcherServletWrapper</servlet-class> -->
- <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
- <init-param>
- <param-name>contextConfigLocation</param-name>
- <param-value>classpath:spring-mvc-bpbj.xml</param-value>
- </init-param>
- <load-on-startup>1</load-on-startup>
- <async-supported>true</async-supported>
- </servlet>
再次测试,已解决,不过此方案本人不推荐,原因(会影响业务,谁用谁知道 哈哈~)
列举方案2:写个filter(推荐)
- import java.io.IOException;
-
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import javax.servlet.http.HttpServletRequest;
-
- public class XssFilter implements Filter{
-
- FilterConfig filterConfig = null;
-
- @Override
- public void destroy() {
- // TODO Auto-generated method stub
- this.filterConfig = null;
- }
-
- @Override
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException, ServletException {
- // TODO Auto-generated method stub
- chain.doFilter(new XssShellInterceptor( (HttpServletRequest) request), response);
- }
-
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
- // TODO Auto-generated method stub
- this.filterConfig = filterConfig;
- }
XssShellInterceptor类(HttpServletRequestWrapper)
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletRequestWrapper;
-
- public class XssShellInterceptor extends HttpServletRequestWrapper{
-
- public XssShellInterceptor(HttpServletRequest request) {
- super(request);
- }
-
-
- public String[] getParameterValues(String parameter) {
- String[] values = super.getParameterValues(parameter);
- if (values==null) {
- return null;
- }
- int count = values.length;
- String[] encodedValues = new String[count];
- for (int i = 0; i < count; i++) {
- encodedValues[i] = cleanXSS(values[i]);
- }
- return encodedValues;
- }
- public String getParameter(String parameter) {
- String value = super.getParameter(parameter);
- if (value == null) {
- return null;
- }
- return cleanXSS(value);
- }
- public String getHeader(String name) {
- String value = super.getHeader(name);
- if (value == null)
- return null;
- return cleanXSS(value);
- }
-
- //过滤规则 目前我只配了过滤 script
- private String cleanXSS(String value) {
- //value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
- //value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
- //value = value.replaceAll("'", "& #39;");
- //value = value.replaceAll("eval\\((.*)\\)", "");
- value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
- value = value.replaceAll("script", "");
- return value;
- }
-
- }
web.xml 添加filter
- <filter>
- <filter-name>XssFilter</filter-name>
- <filter-class>com.xx.xx.bmms.web.filter.XssFilter</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>XssFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
再次测试,已解决。注意:如果web.xml中有多个filter 注意执行顺序。
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/羊村懒王/article/detail/338571
推荐阅读
相关标签
