Java实现XSS防御

XSS概述

跨站脚本攻击(Cross Site Scripting)，缩写为XSS。恶意攻击者往Web页面里插入恶意Script代码，当用户浏览该页之时，嵌入其中Web里面的Script代码会被执行，从而达到恶意攻击用户的目的。

Servlet的方式

1、继承HttpServletRequestWrapper，实现对请求参数的过滤

/** * xss请求适配器 */public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {    public XssHttpServletRequestWrapper(HttpServletRequest request) {        super(request);    }    /**     * 对数组参数进行特殊字符过滤     */    @Override    public String[] getParameterValues(String name) {        String[] values = super.getParameterValues(name);        if (values == null) {            return null;        }        int count = values.length;        String[] encodedValues = new String[count];        for (int i = 0; i < count; i++) {            encodedValues[i] = cleanXSS(values[i]);        }        return encodedValues;    }    /**     * 对参数中特殊字符进行过滤     */    @Override    public String getParameter(String name) {        String value = super.getParameter(name);        if (value == null) {            return null;        }        return cleanXSS(value);    }    /**     * 获取attribute,特殊字符过滤     */    @Override    public Object getAttribute(String name) {        Object value = super.getAttribute(name);        if (value != null && value instanceof String) {            cleanXSS((String) value);        }        return value;    }    /**     * 对请求头部进行特殊字符过滤     */    @Override    public String getHeader(String name) {        String value = super.getHeader(name);        if (value == null) {            return null;        }        return cleanXSS(value);    }    /**     * 转义字符,使用该方法存在一定的弊端     *      * @param value     * @return     */    private String cleanXSS2(String value) {        // 移除特殊标签        value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");        value = value.replaceAll("\\(", "&#40;").replaceAll("\\)", "&#41;");        value = value.replaceAll("'", "&#39;");        value = value.replaceAll("eval\\((.*)\\)", "");        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");        value = value.replaceAll("script", "");        return value;    }    private String cleanXSS(String value) {        if (value != null) {            //推荐使用ESAPI库来避免脚本攻击,value = ESAPI.encoder().canonicalize(value);            // 避免空字符串            value = value.replaceAll(" ", "");            // 避免script 标签            Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);            value = scriptPattern.matcher(value).replaceAll("");            // 避免src形式的表达式            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");            // 删除单个的 </script> 标签            scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);            value = scriptPattern.matcher(value).replaceAll("");            // 删除单个的<script ...> 标签            scriptPattern = Pattern.compile("<script(.*?)>",                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");            // 避免 eval(...) 形式表达式            scriptPattern = Pattern.compile("eval\\((.*?)\\)",                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");            // 避免 e­xpression(...) 表达式            scriptPattern = Pattern.compile("e­xpression\\((.*?)\\)",                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");            // 避免 javascript: 表达式            scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);            value = scriptPattern.matcher(value).replaceAll("");            // 避免 vbscript:表达式            scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);            value = scriptPattern.matcher(value).replaceAll("");            // 避免 onload= 表达式            scriptPattern = Pattern.compile("onload(.*?)=",                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");        }        return value;    }}

2、实现Filter，实现XSS过滤器

/** * xss过滤器 */public class XssFilter implements Filter {    FilterConfig filterConfig = null;    @Override    public void init(FilterConfig filterConfig) throws ServletException {        this.filterConfig = filterConfig;    }    @Override    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)            throws IOException, ServletException {        //对请求进行拦截,防xss处理        chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);    }    @Override    public void destroy() {        this.filterConfig = null;    }}

3、注入XSS过滤器，两种方式
第一种方式：配置web.xml

<!-- xss过滤器 --><filter>    <filter-name>XssSqlFilter</filter-name>    <filter-class>cn.aric.xss.XssFilter</filter-class></filter><filter-mapping>    <filter-name>XssSqlFilter</filter-name>    <url-pattern>/*</url-pattern>    <dispatcher>REQUEST</dispatcher>    <dispatcher>FORWARD</dispatcher></filter-mapping>

第二种方式：注解

/** * 注入Xss过滤器(注解方式) */public class WebInitializer implements WebApplicationInitializer{    @Override    public void onStartup(ServletContext servletContext) throws ServletException {        //添加监听器        servletContext.addListener(RequestContextListener.class);        //添加过滤器        Dynamic xssFilterRegistration = servletContext.addFilter("XssFilter", XssFilter.class);        //添加映射规则        xssFilterRegistration.addMappingForUrlPatterns(                EnumSet.of(DispatcherType.REQUEST,DispatcherType.FORWARD,DispatcherType.INCLUDE),                 false,                 "/*");    }}

Spring整合的方式

1、使用spring的HtmlUtils,可以使用StringEscapeUtils 中的过滤方法

/** * 解决XSS跨站脚本攻击和sql注入攻击,使用spring的HtmlUtils,可以使用StringEscapeUtils 中的过滤方法 */public class XssSpringHttpServletRequestWrapper extends HttpServletRequestWrapper{    public XssSpringHttpServletRequestWrapper(HttpServletRequest request) {        super(request);    }    /**     * 对数组参数进行特殊字符过滤     */    @Override    public String[] getParameterValues(String name) {        String[] values = super.getParameterValues(name);        String[] newValues = new String[values.length];        for (int i = 0; i < values.length; i++) {            //spring的HtmlUtils进行转义            newValues[i] = HtmlUtils.htmlEscape(values[i]);        }        return newValues;    }    /**     * 拦截参数,并对其进行字符转义     */    @Override    public String getParameter(String name) {        return HtmlUtils.htmlEscape(name);    }    /**     * 拦截参数,并对其进行字符转义     */    @Override    public Object getAttribute(String name) {        return HtmlUtils.htmlEscape(name);    }}

2、实现XSS过滤器

/** * spring方式xss过滤器 */public class XssSpringFilter implements Filter{    @Override    public void init(FilterConfig filterConfig) throws ServletException {    }    @Override    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)            throws IOException, ServletException {        HttpServletRequest req = (HttpServletRequest) request;        chain.doFilter(new XssSpringHttpServletRequestWrapper(req), response);    }    @Override    public void destroy() {    }}

3、配置XSS过滤器

<!-- spring方式的xss过滤器 --><filter>    <filter-name>xssSpringFilter</filter-name>    <filter-class>cn.aric.xss.XssSpringHttpServletRequestWrapper</filter-class></filter><filter-mapping>    <filter-name>xssSpringFilter</filter-name>    <url-pattern>/*</url-pattern></filter-mapping>