简单web安全框架
来源:互联网 发布:python kotlin哪个好 编辑:程序博客网 时间:2024/04/29 15:39
web安全框架,主要用servlet filter方式覆盖httpServletRequest和HttpServletResponse方式增加一些输入输出的过滤,github地址:https://github.com/zhwj184/webSecurity
主要实现的安全包括:
XSS过滤(获取用户输入参数和参数值进行XSS过滤,对Header和cookie value值进行XSS过滤(转码Script标签的< > 符号),
对Response的setStatus(int sc, String sm)方法 sm错误信息进行XSS过滤;
对Header的CLRF进行过滤;
对cookie大小和cookie的白名单进行验证;
对文件上传后缀白名单进行验证;
对只允许POST提交的url进行验证;
CSRF攻击 tokenID防御支持;
SESSION通过加密存储到cookie支持;
静态资源路径去除../上级目录符号;
使用指南:只需要在web.xml中配置对应的filter即可。
HttpSessionCookitStoreFilter是session存储到cookie的支持,encryKey加密密钥;
DefaultBaseSecurityFilter是默认的安全过滤filter,
securityFilterList可以配置对应的filter;
CookieWhiteListFilter:cookie白名单配置,如果配置这个,则需要配置参数cookieWhiteList;
CsrfTokenCkeckFilter:对post表单提交进行csrf token验证;使用CsrfTokenIdCreator生成csrf tokenid后放入表单还有session中,key名称必须为csrf_开头;为了支持多个form表单;
FileUploadSecurityFilter:文件上传后缀白名单验证,需要配置whitefilePostFixList参数;
FormPostPermitCheckFilter;只允许post提交的url列表,需要配置onlyPostUrlList参数;
redirectWhiteList:是配置重定向白名单url参数;
StaticFilePathSecurityFilter:url的../上级路径过滤;
使用在
<filter> <filter-name>HttpSessionCookitStoreFilter</filter-name> <filter-class>org.websecurity.filter.HttpSessionCookitStoreFilter</filter-class> <init-param> <param-name>encryKey</param-name> <param-value>1234567887654321</param-value> </init-param></filter><filter> <filter-name>DefaultBaseSecurityFilter</filter-name> <filter-class>org.websecurity.DefaultBaseSecurityFilter</filter-class> <init-param> <param-name>securityFilterList</param-name><!-- ,org.websecurity.filter.CsrfTokenCkeckFilter --> <param-value>org.websecurity.filter.CookieWhiteListFilter,org.websecurity.filter.FormPostPermitCheckFilter</param-value> </init-param> <init-param> <param-name>cookieWhiteList</param-name> <param-value>id,JESSIONID,name,clrf</param-value> </init-param> <init-param> <param-name>onlyPostUrlList</param-name> <param-value>/d/sssecurity, /user/aaa/name*</param-value><!-- 支持正则匹配 --> </init-param> <init-param> <param-name>whitefilePostFixList</param-name> <param-value>jpg,png,doc,xls</param-value> </init-param> <init-param> <param-name>encryKey</param-name> <param-value>1234567887654321</param-value> </init-param> <init-param> <param-name>redirectWhiteList</param-name> <param-value>http://localhost:8080/[0-9A-Za-z]*,http://www.taobao.com/[0-9A-Za-z]*</param-value> </init-param></filter><filter-mapping> <filter-name>HttpSessionCookitStoreFilter</filter-name> <url-pattern>/*</url-pattern></filter-mapping><filter-mapping> <filter-name>DefaultBaseSecurityFilter</filter-name> <url-pattern>/*</url-pattern></filter-mapping>
测试代码:
@WebServlet(urlPatterns={"/security"},initParams={@WebInitParam(name="f", value="valuef"),@WebInitParam(name="g", value="valueg")})public class MySecurityTest extends HttpServlet {private static final long serialVersionUID = 1L; /** * @see HttpServlet#HttpServlet() */ public MySecurityTest() { super(); // TODO Auto-generated constructor stub }/** * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) */protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {//xss params filter//url:System.out.println(request.getParameter("xssparam")); //output:System.out.println(request.getParameterMap().toString());//cookie white list output filterSystem.out.println(request.getCookies().toString());response.addCookie(new Cookie("name", "valName"));//validresponse.addCookie(new Cookie("clrf", "valName\r\n<script>"));//validtry{response.addCookie(new Cookie("invalidName", "invalidvalName"));//not valid, throw runtimeexception}catch(Exception e){e.printStackTrace();}//cookie maxsize filterresponse.addCookie(new Cookie("id", ByteBuffer.allocate(4 * 1024 + 2).toString()));//valid//head security filterresponse.setHeader("aaa\r\nbbb", "ccc\r\\ddd\n");//session store to cookieSystem.out.println(request.getSession().getAttribute("sescookie"));request.getSession().setAttribute("sescookie", "sessioncookiestoretest");//rediction filter//response.sendRedirect("http://www.163.com");//failed//status filterresponse.setStatus(404, "<script>alert(1)</script>");}/** * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) */protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {response.getWriter().write("hello, world");}}
一些输出:
<script>alert(1)</script>{xssparam=[Ljava.lang.String;@3476a7}[Ljavax.servlet.http.Cookie;@1f5865ajava.lang.RuntimeException: cookie:invalidName is not in whitelist,not valid.at org.websecurity.SecurityHttpServletResponse.addCookie(SecurityHttpServletResponse.java:34)at org.websecurity.test.MySecurityTest.doGet(MySecurityTest.java:44)at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)at com.filter.My3Filter2.doFilter(My3Filter2.java:28)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)at com.filter.My3Filter.doFilter(My3Filter.java:29)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)at org.websecurity.DefaultBaseSecurityFilter.doFilter(DefaultBaseSecurityFilter.java:44)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:250)at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:166)at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)at java.lang.Thread.run(Thread.java:722)
- 简单web安全框架
- [web安全] Web框架安全
- Web框架自身安全
- web安全框架Spring Security
- 简单的安全框架shiro
- web安全测试设计----OWASP测试框架
- SPRING-SECURITY安全Web框架配置
- shiro安全框架的简单配置
- Golang构建简单web框架
- 简单Web应用框架设计
- 在WEB应用中使用mysql部署shiro安全框架
- 经典Web安全缺陷(框架钓鱼风险)
- 7shiro安全框架、web项目的发布
- Java Web:主动和被动方式检测安全的框架
- 一个简单的自定义web框架
- RESTful Web Service框架jersey简单总结
- Python_eve_REST_API一个简单的python web框架
- (c++)web应用开发框架简单对比
- YII Framework学习教程-YII的Model-数据库操作4-翻译
- C Primer Plus 13章编程练习7问题
- Android学习笔记---20_采用ContentProvider对外共享数据, UriMatcher类使用介绍 ,ContentUris类使用介绍,使用ContentResolver操作Conte
- 发送邮件带word附件的.doc
- 提高PHP编程效率
- 简单web安全框架
- 又见 “快速排序”
- HTML5学习笔记---Html5简单理解,发展情况...
- IBM发布首个基于OpenStack的产品
- Js 对小数的处理(科学计数法 , 显示精度)
- 小区市话配套和宽带接入系统研究报告
- windows_bat_字符截取
- Uva-1030-Image Is Everything
- xcode 4.5 new feature __ ios6 新特性