xss攻击防御
来源:互联网 发布:java 两list合并 编辑:程序博客网 时间:2024/06/01 08:55
HttpServletRequestWrapper的子类中的方法没有被调用
XssHttpServletRequestWrapper中的方法没有被调用
(GET /ranking/category-hb/&cat=bh%22onmouseover=alert(9713)%3E%22)@416977618 org.eclipse.jetty.server.Request@18da92d2
https://b.svncode.cnsuning.com/svn/SES-TOOLS/branches/ses-tools_V2.0.1/
7月7日:独立解决XSS攻击问题:
/*方法一,可用,但是是阻止访问
* HttpServletRequest req=(HttpServletRequest)request;
String servletPath = req.getServletPath();
boolean aa = servletPath.contains("\"");
if(aa)
{
return ;
}
else
{
//String cleanPath = processXSS(servletPath);
chain.doFilter(req, response);
}*/
方法二:仅适用于URL中的参数注入
/*
* HttpServletRequest servletrequest = (HttpServletRequest) request;
HttpServletResponse servletresponse = (HttpServletResponse) response;
String param = "";
String paramValue = "";
java.util.Enumeration params = request.getParameterNames();
//设置请求编码格式
servletresponse.setContentType("text/html");
servletresponse.setCharacterEncoding("UTF-8");
servletrequest.setCharacterEncoding("UTF-8");
String servletPath = ((HttpServletRequest) request).getServletPath();
while (params.hasMoreElements()){
param = (String) params.nextElement(); //获取请求中的参数
String[] values = servletrequest.getParameterValues(param);//获得每个参数对应的值
for (int i = 0; i < values.length; i++) {
paramValue = values[i];
paramValue = paramValue.replaceAll("\"","“");
//这里还可以增加,如领导人 自动转义成****,可以从数据库中读取非法关键字。
values[i] = paramValue;
}
//把转义后的参数重新放回request中
request.setAttribute(param, paramValue);
}
String servletPath2 = ((HttpServletRequest) request).getServletPath();
chain.doFilter(request, response);*/
方法三:真正做到防止URL注入的方法:
1、web.xml配置:
<filter>
<filter-name>myXssFilter</filter-name>
<filter-class>com.suning.search.compass.service.myXssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>myXssFilter</filter-name>
<url-pattern>/ranking/*</url-pattern>
</filter-mapping>
2、写一个自己的过滤器
package com.suning.search.compass.service;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class myXssFilter implements Filter{
@SuppressWarnings("unused")
private FilterConfig filterConfig;
public void destroy() {
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req=(HttpServletRequest)request;
HttpServletRequest reqClean = new myXssHttpServletRequestWrapper(req);
String servletPath = req.getServletPath();//更改URL前
String servletPathOfClean = reqClean.getServletPath();//更改URL后
chain.doFilter(reqClean, response);
}
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
}
3、关键点:重写HttpServletRequestWrapper包装类myXssHttpServletRequestWrapper类,目的是为了改写URL中的特殊符号:
package com.suning.search.compass.service;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class myXssHttpServletRequestWrapper extends HttpServletRequestWrapper{
public myXssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String getServletPath(){
String value = super.getServletPath();
return processXSS(value);
}
private String processXSS(String s) {
if (s == null || "".equals(s)) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
//handle the '<' and '>' which can be used for constructing <script> and </script>
case '>':
sb.append('>');
break;
case '<':
sb.append('<');
break;
//since the html can support the characters using $#number format
//so here also need to escape '#','&' and quote symbol
case '\'':
sb.append('‘');
break;
case '\"':
sb.append('“');
break;
case '&':
sb.append('&');
break;
case '\\':
sb.append('\');
break;
case '#':
sb.append('#');
break;
//if not the special characters ,then output it directly
default:
sb.append(c);
break;
}
}
return sb.toString();
}
}
XssHttpServletRequestWrapper中的方法没有被调用
(GET /ranking/category-hb/&cat=bh%22onmouseover=alert(9713)%3E%22)@416977618 org.eclipse.jetty.server.Request@18da92d2
https://b.svncode.cnsuning.com/svn/SES-TOOLS/branches/ses-tools_V2.0.1/
7月7日:独立解决XSS攻击问题:
/*方法一,可用,但是是阻止访问
* HttpServletRequest req=(HttpServletRequest)request;
String servletPath = req.getServletPath();
boolean aa = servletPath.contains("\"");
if(aa)
{
return ;
}
else
{
//String cleanPath = processXSS(servletPath);
chain.doFilter(req, response);
}*/
方法二:仅适用于URL中的参数注入
/*
* HttpServletRequest servletrequest = (HttpServletRequest) request;
HttpServletResponse servletresponse = (HttpServletResponse) response;
String param = "";
String paramValue = "";
java.util.Enumeration params = request.getParameterNames();
//设置请求编码格式
servletresponse.setContentType("text/html");
servletresponse.setCharacterEncoding("UTF-8");
servletrequest.setCharacterEncoding("UTF-8");
String servletPath = ((HttpServletRequest) request).getServletPath();
while (params.hasMoreElements()){
param = (String) params.nextElement(); //获取请求中的参数
String[] values = servletrequest.getParameterValues(param);//获得每个参数对应的值
for (int i = 0; i < values.length; i++) {
paramValue = values[i];
paramValue = paramValue.replaceAll("\"","“");
//这里还可以增加,如领导人 自动转义成****,可以从数据库中读取非法关键字。
values[i] = paramValue;
}
//把转义后的参数重新放回request中
request.setAttribute(param, paramValue);
}
String servletPath2 = ((HttpServletRequest) request).getServletPath();
chain.doFilter(request, response);*/
方法三:真正做到防止URL注入的方法:
1、web.xml配置:
<filter>
<filter-name>myXssFilter</filter-name>
<filter-class>com.suning.search.compass.service.myXssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>myXssFilter</filter-name>
<url-pattern>/ranking/*</url-pattern>
</filter-mapping>
2、写一个自己的过滤器
package com.suning.search.compass.service;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class myXssFilter implements Filter{
@SuppressWarnings("unused")
private FilterConfig filterConfig;
public void destroy() {
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req=(HttpServletRequest)request;
HttpServletRequest reqClean = new myXssHttpServletRequestWrapper(req);
String servletPath = req.getServletPath();//更改URL前
String servletPathOfClean = reqClean.getServletPath();//更改URL后
chain.doFilter(reqClean, response);
}
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
}
3、关键点:重写HttpServletRequestWrapper包装类myXssHttpServletRequestWrapper类,目的是为了改写URL中的特殊符号:
package com.suning.search.compass.service;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class myXssHttpServletRequestWrapper extends HttpServletRequestWrapper{
public myXssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String getServletPath(){
String value = super.getServletPath();
return processXSS(value);
}
private String processXSS(String s) {
if (s == null || "".equals(s)) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
//handle the '<' and '>' which can be used for constructing <script> and </script>
case '>':
sb.append('>');
break;
case '<':
sb.append('<');
break;
//since the html can support the characters using $#number format
//so here also need to escape '#','&' and quote symbol
case '\'':
sb.append('‘');
break;
case '\"':
sb.append('“');
break;
case '&':
sb.append('&');
break;
case '\\':
sb.append('\');
break;
case '#':
sb.append('#');
break;
//if not the special characters ,then output it directly
default:
sb.append(c);
break;
}
}
return sb.toString();
}
}
阅读全文
0 0
- XSS攻击防御
- XSS攻击与防御
- XSS攻击及防御
- XSS攻击及防御
- XSS攻击以及防御
- XSS攻击及防御
- XSS攻击及防御
- XSS攻击及防御
- XSS攻击及防御
- XSS攻击及防御
- XSS攻击及防御
- XSS攻击与防御
- XSS攻击及防御
- XSS攻击及防御
- XSS攻击及防御
- XSS攻击及防御
- XSS攻击及防御
- XSS攻击及防御
- Android Bitmap与DrawAble与byte[]与InputStream之间的转换工具类【转】
- Sicily1000. 自上而下语法分析(一)
- bzoj1225 [HNOI2001] 求正整数 约数个数定理+对数
- Javascript闭包——懂不懂由你,反正我是懂了
- python 切片方法
- xss攻击防御
- Restful API 设计原则及其规范
- React学习笔记_css module
- ConcurrentHashMap的实现 get put remove 详解
- 吸顶条
- ZXECS-IBX1000综合业务交换
- 降维——局部线性嵌入(LLE)
- UVA11988
- 在ros中配置opencv编译环境环境