解决跨站脚本注入问题
来源:互联网 发布:关键词优化报价 编辑:程序博客网 时间:2024/06/06 03:32
===========================问题描述========================
跨站脚本注入的几种形式
*****="/><script>alert(document.cookie)</script>&passwd=&ok.x=28&ok.y=6
******="/><script>window.open("http://www.baidu.com")</script>
/document/ifr_list_managerHalfway.jsp?subFrame=managerHalfway&Page=2&Pages=2&Count=15&docsfrom="/><script>window.open("http://www.baidu.com")</script>
document/ifr_list_managerHalfway.jsp?docucode=&organiger=&manageEntityId=&Page=1&queryOwn=0&procstatus=&docsfrom=5&subFrame=managerHalfway&docsfrom=5&beginDate=&cbt=&procid=&cfwdw=&wenhao=%5C0%5C%22%5C%27%3E%3CScRiPt%3Ealert%28/shtec%2Bxss%2Btest/%29%3B%3C/ScRiPt%3E
document/ifr_list_managerHalfway.jsp?docucode=&organiger=&manageEntityId=&Page=1&queryOwn=0&procstatus=&docsfrom=5&subFrame=managerHalfway&docsfrom=5&beginDate=&cbt=&procid=&cfwdw="/><script>window.open("http://www.baidu.com")</script>&wenhao="/><script>window.open("http://www.baidu.com")</script>
以上的几种跨站点脚本注入会使页面非正常显示
解决方案
1。增加一个request的转码过滤器=======================
package com.apusic.portal.sso;import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.*;import java.util.*;
/** * Servlet Filter implementation class SqlEscapeFilter */public class SqlEscapeFilter implements Filter {
/** * Default constructor. */ public SqlEscapeFilter() { // TODO Auto-generated constructor stub }
/** * @see Filter#destroy() */ public void destroy() { // TODO Auto-generated method stub }
/** * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain) */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // TODO Auto-generated method stub // place your code here HttpServletRequest hreq = (HttpServletRequest)request; Map map = hreq.getParameterMap(); Iterator itr = map.keySet().iterator(); while( itr.hasNext() ) { String key = itr.next().toString(); String [] values = hreq.getParameterValues(key); if( values != null ) { for( int i = 0; i < values.length; i++ ) { values[i] = cleanXSS(values[i]); } } hreq.setAttribute(key, values); } // pass the request along the filter chain chain.doFilter(request, response); }
/** * @see Filter#init(FilterConfig) */ public void init(FilterConfig fConfig) throws ServletException { // TODO Auto-generated method stub } private String cleanXSS(String value) { value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", ")");
value = value.replaceAll("'", "& #39;");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
return value; }
}
2================================
web.xml
<filter>
<display-name>SqlEscapeFilter</display-name>
<filter-name>SqlEscapeFilter</filter-name>
<filter-class>com.apusic.portal.sso.SqlEscapeFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SqlEscapeFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
- 解决跨站脚本注入问题
- 解决跨站脚本注入,跨站伪造用户请求,sql注入等http安全漏洞
- SQL注入脚本问题
- 防脚本注入问题
- 防止sql注入,跨站脚本
- 网络安全-CSRF跨站伪装脚本注入
- 触发器解决SQL注入问题
- ibatis解决sql注入问题
- ibatis解决sql注入问题 .
- ibatis解决sql注入问题
- ibatis解决sql注入问题
- ibatis解决sql注入问题
- ibatis解决sql注入问题
- ibatis解决sql注入问题 .
- mybatis解决sql注入问题
- SQL注入问题及解决
- 解决跨站脚本攻击
- 通过脚本注入(JSONP)解决跨域访问原理分析
- Flex RSL框架 (论及 常见的error # 2032)
- 16进制转byte[]
- 鼠标放上去清空 鼠标放上去清空input
- putty使用技巧-不同颜色显示不同类型的文件
- android mask setXfermode
- 解决跨站脚本注入问题
- android智能手机项目开发小结
- PHP学习笔记——表单数据获取,Session,Cookie
- hadoop学习笔记-hive安装及操作
- ios 之contentmode
- java_synchronized
- 百度搜索结果页面的参数_输入耗时(inputT)
- DOM操作中的API
- 设置不显示ListView的滚动条