我要评论xss
跨站脚本工具(cross 斯特scripting),为不和层叠样式表(cascading style sheets,css)的缩写混淆,故将跨站脚本攻击缩写为xss。恶意攻击者往web页面里插入恶意scriptscript代码,当用户浏览该页之时,嵌入其中web里面的script代码会被执行,从而达到恶意攻击用户的目的。防止xss攻击简单的预防就是对request请求中的一些参数去掉一些比较敏感的脚本命令。原本是打算通过springmvc的handlerinterceptor机制来实现的,通过获取request然后对request中的参数进行修改,结果虽然值修改了,但在controller中获取的数值还是没有修改的。没办法就是要filter来完成。简单来说就是创建一个新的httprequest类xsshttpservletrequestwrapper,然后重写一些get方法(获取参数时对参数进行xss判断预防)
流程梳理
包装request->创建过滤器->添加过滤器
1.创建包装request的类 xsshttpservletrequestwrapper
import java.io.bufferedreader;
import java.io.bytearrayinputstream;
import java.io.ioexception;
import java.io.inputstreamreader;
import java.nio.charset.charset;
import java.util.regex.matcher;
import java.util.regex.pattern;
import javax.servlet.readlistener;
import javax.servlet.servletinputstream;
import javax.servlet.servletoutputstream;
import javax.servlet.http.httpservletrequest;
import javax.servlet.http.httpservletrequestwrapper;
import javax.servlet.http.httpservletresponse;
import org.slf4j.logger;
import org.slf4j.loggerfactory;
import com.sysware.framework.exceptions.syswareruntimeexception;
import com.sysware.framework.file.service.impl.filegridserviceimpl;
public class xsshttpservletrequestwraper extends httpservletrequestwrapper {
private logger log = loggerfactory.getlogger(filegridserviceimpl.class);
public xsshttpservletrequestwraper() {
super(null);
}
public xsshttpservletrequestwraper(httpservletrequest httpservletrequest) {
super(httpservletrequest);
}
//过滤springmvc中的 @requestparam 注解中的参数
public string[] getparametervalues(string s) {
string str[] = super.getparametervalues(s);
if (str == null) {
return null;
}
int i = str.length;
string as1[] = new string[i];
for (int j = 0; j < i; j++) {
//system.out.println("getparametervalues:"+str[j]);
as1[j] = cleanxss(cleansqlinject(str[j]));
}
log.info("xsshttpservletrequestwraper净化后的请求为:==========" + as1);
return as1;
}
//过滤request.getparameter的参数
public string getparameter(string s) {
string s1 = super.getparameter(s);
if (s1 == null) {
return null;
} else {
string s2 = cleanxss(cleansqlinject(s1));
log.info("xsshttpservletrequestwraper净化后的请求为:==========" + s2);
return s2;
}
}
//过滤请求体 json 格式的
@override
public servletinputstream getinputstream() throws ioexception {
final bytearrayinputstream bais = new bytearrayinputstream(inputhandlers(super.getinputstream ()).getbytes ());
return new servletinputstream() {
@override
public int read() throws ioexception {
return bais.read();
}
@override
public boolean isfinished() {
return false;
}
@override
public boolean isready() {
return false;
}
@override
public void setreadlistener(readlistener readlistener) { }
};
}
public string inputhandlers(servletinputstream servletinputstream){
stringbuilder sb = new stringbuilder();
bufferedreader reader = null;
try {
reader = new bufferedreader(new inputstreamreader(servletinputstream, charset.forname("utf-8")));
string line = "";
while ((line = reader.readline()) != null) {
sb.append(line);
}
} catch (ioexception e) {
e.printstacktrace();
} finally {
if (servletinputstream != null) {
try {
servletinputstream.close();
} catch (ioexception e) {
e.printstacktrace();
}
}
if (reader != null) {
try {
reader.close();
} catch (ioexception e) {
e.printstacktrace();
}
}
}
return cleanxss(sb.tostring ());
}
public string cleanxss(string src) {
string temp = src;
src = src.replaceall("<", "<").replaceall(">", ">");
src = src.replaceall("\\(", "(").replaceall("\\)", ")");
src = src.replaceall("'", "");
src = src.replaceall(";", "");
/**-----------------------start--------------------------*/
src = src.replaceall("<", "& lt;").replaceall(">", "& gt;");
src = src.replaceall("\\(", "& #40;").replaceall("\\)", "& #41");
src = src.replaceall("eval\\((.*)\\)", "");
src = src.replaceall("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
// src = src.replaceall("script", "");
// src = src.replaceall("link", "");
// src = src.replaceall("frame", "");
/**-----------------------end--------------------------*/
pattern pattern = pattern.compile("(eval\\((.*)\\)|script)",
pattern.case_insensitive);
matcher matcher = pattern.matcher(src);
src = matcher.replaceall("");
pattern = pattern.compile("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']",
pattern.case_insensitive);
matcher = pattern.matcher(src);
src = matcher.replaceall("\"\"");
// 增加脚本
src = src.replaceall("script", "").replaceall(";", "")
/*.replaceall("\"", "").replaceall("@", "")*/
.replaceall("0x0d", "").replaceall("0x0a", "");
// if (!temp.equals(src)) {
// // system.out.println("输入信息存在xss攻击!");
// // system.out.println("原始输入信息-->" + temp);
// // system.out.println("处理后信息-->" + src);
//
// log.error("xss攻击检查:参数含有非法攻击字符,已禁止继续访问!!");
// log.error("原始输入信息-->" + temp);
//
// throw new syswareruntimeexception("xss攻击检查:参数含有非法攻击字符,已禁止继续访问!!");
// }
return src;
}
//输出
public void outputmsgbyoutputstream(httpservletresponse response, string msg) throws ioexception {
servletoutputstream outputstream = response.getoutputstream(); //获取输出流
response.setheader("content-type", "text/html;charset=utf-8"); //通过设置响应头控制浏览器以utf-8的编码显示数据,如果不加这句话,那么浏览器显示的将是乱码
byte[] databytearr = msg.getbytes("utf-8");// 将字符转换成字节数组,指定以utf-8编码进行转换
outputstream.write(databytearr);// 使用outputstream流向客户端输出字节数组
}
// 需要增加通配,过滤大小写组合
public string cleansqlinject(string src) {
string lowsrc = src.tolowercase();
string temp = src;
string lowsrcafter = lowsrc.replaceall(" insert ", "forbidi")
.replaceall(" select ", "forbids")
.replaceall(" update ", "forbidu")
.replaceall(" delete ", "forbidd").replaceall(" and ", "forbida")
.replaceall(" or ", "forbido").replace("'", "");
if (!lowsrcafter.equals(lowsrc)) {
log.error("sql注入检查:输入信息存在sql攻击!");
log.error("原始输入信息-->" + temp);
log.error("处理后信息-->" + lowsrc);
throw new syswareruntimeexception("sql注入检查:参数含有非法攻击字符,已禁止继续访问!!");
}
return src;
}
}注意:
getinputstream()方法的流处理,注解方式获取数据貌似是根据这个流取得的数据。
因为super.getinputstream()流只允许读取一次,所以在getinputstream()方法中处理完流数据后返回了一个新的servletinputstream。另外替换方法里的替换规则,也可以根据实际业务需要进行调整。
2.创建过滤器 xssfilter
@component
public class xssfilter implements filter {
// 忽略权限检查的url地址
private final string[] excludeurls = new string[]{
"/api/item","api/document"
};
public void dofilter(servletrequest arg0, servletresponse arg1, filterchain arg2)
throws ioexception, servletexception {
httpservletrequest req = (httpservletrequest) arg0;
httpservletresponse response = (httpservletresponse) arg1;
string pathinfo = req.getpathinfo() == null ? "" : req.getpathinfo();
//获取请求url的后两层
string url = req.getservletpath() + pathinfo;
//获取请求你ip后的全部路径
string uri = req.getrequesturi();
//注入xss过滤器实例
xsshttpservletrequestwraper reqw = new xsshttpservletrequestwraper(req);
//过滤掉不需要的xss校验的地址
for (string str : excludeurls) {
if (uri.indexof(str) >= 0) {
//过滤
arg2.dofilter(reqw, response);
return;
}
}
arg2.dofilter(arg0, response);
}
public void destroy() {
}
public void init(filterconfig filterconfig1) throws servletexception {
}
}到此这篇关于springboot实现防止xss攻击的示例详解的文章就介绍到这了,更多相关springboot防止xss攻击内容请搜索代码网以前的文章或继续浏览下面的相关文章希望大家以后多多支持代码网!
发表评论