XSS之xssprotect

参考资料
1 跨网站脚本 http://zh.wikipedia.org/wiki/XSS
2 http://code.google.com/p/xssprotect/
一 跨网站脚本介绍
     跨网站脚本（Cross-site scripting，通常简称为XSS或跨站脚本或跨站脚本攻击）是一种网站应用程序的安全漏洞攻击，是代码注入的一种。它允许恶意用户将代码注入到网页上，其他用户在观看网页时就会受到影响。这类攻击通常包含了HTML以及用户端脚本语言。
XSS攻击通常指的是通过利用网页开发时留下的漏洞，通过巧妙的方法注入恶意指令代码到网页，使用户加载并执行攻击者恶意制造的网页程序。这些恶意网页程序通常是JavaScript，但实际上也可以包括Java， VBScript， ActiveX， Flash 或者甚至是普通的HTML。攻击成功后，攻击者可能得到包括但不限于更高的权限（如执行一些操作）、私密网页内容、会话和cookie等各种内容。
二 常用的XSS攻击手段和目的
  盗用 cookie ，获取敏感信息。
利用植入 Flash ，通过 crossdomain 权限设置进一步获取更高权限；或者利用Java等得到类似的操作。
利用 iframe、frame、XMLHttpRequest或上述Flash等方式，以（被攻击）用户的身份执行一些管理动作，或执行一些一般的如发微博、加好友、发私信等操作。
  利用可被攻击的域受到其他域信任的特点，以受信任来源的身份请求一些平时不允许的操作，如进行不当的投票活动。
  在访问量极大的一些页面上的XSS可以攻击一些小型网站，实现DDoS攻击的效果。
三 漏洞的防御和利用
避免XSS的方法之一主要是将用户所提供的内容进行过滤，许多语言都有提供对HTML的过滤：

    PHP的htmlentities()或是htmlspecialchars()。
    Python的cgi.escape()。
    ASP的Server.HTMLEncode()。
    ASP.NET的Server.HtmlEncode()或功能更强的Microsoft Anti-Cross Site Scripting Library
    Java的xssprotect(Open Source Library)。
    Node.js的node-validator。
四 xssprotect

在Eclipse中通过svn检出项目源地址：http://xssprotect.googlecode.com/svn/trunk/如下图

通用使用方式：http://code.google.com/p/xssprotect/wiki/HowTouse

package com.xss.example;import java.io.IOException;import java.io.StringReader;import java.io.StringWriter;import com.blogspot.radialmind.html.HTMLParser;import com.blogspot.radialmind.html.HandlingException;import com.blogspot.radialmind.xss.XSSFilter;public class XSSTest {public static void main(String[] args) {String html = "<html><head> <title> New Document </title> " +"<script type='text/javascript'>  alert('dddd');   </script> " +"</head> <body>" +"222 <iframe  src='www.google.com'/>  1111" +"<embed ></embed>" +"<link>ddd</link>" +"</body></html>";String v = protectAgainstXSS(html);System.out.println(v);}public static String protectAgainstXSS( String html ) {    StringReader reader = new StringReader( html );    StringWriter writer = new StringWriter();    String text = null;    try {        // Parse incoming string from the "html" variable        HTMLParser.process( reader, writer, new XSSFilter(), true );        // Return the parsed and cleaned up string        text =  writer.toString();    } catch (HandlingException e) {        // Handle the error here in accordance with your coding policies...    }finally{    try {writer.close();reader.close();} catch (IOException e) {e.printStackTrace();}        }    return text;}}

在它的源代码中有二个类需要关注下：
BaseTestCase.java

public abstract class BaseTestCase extends TestCase {protected void testExecute( String html, String result ) {StringReader reader = new StringReader( html );StringWriter writer = new StringWriter();try {HTMLParser.process( reader, writer, new XSSFilter(), true );String buffer = new String( writer.toString() );System.out.println( buffer );assertEquals( result, buffer );} catch (HandlingException e) {e.printStackTrace();fail( e.getMessage() );}}}

XSSFilter.java

/** * Copyright 2008 Gerard Toonstra * * As an exception, this particular file  * in the project is public domain to allow totally * free derivations of this code. *  */package com.blogspot.radialmind.xss;import java.util.HashSet;import java.util.Set;import com.blogspot.radialmind.html.IHTMLFilter;/** * Implementation of a relatively simple XSS filter. This implementation removes * dangerous tags and attributes from tags. It does not verify the validity of  * URL's (that may contain links to JavaScript for example). It does not remove all * event handlers that may still contain XSS vulnerabilities.  *  * Embedded objects are removed because those may contain XSS vulnerabilities in  * their own scripting language (ActionScript for Flash for example). *  * Feel free to derive your own implementation from this file. *  * @author gt * */public class XSSFilter implements IHTMLFilter {private static final Set<String> FORBIDDEN_TAGS = new HashSet<String>();// The tags to be removed. Case insensitive of course.static {FORBIDDEN_TAGS.add( "script" );FORBIDDEN_TAGS.add( "embed" );FORBIDDEN_TAGS.add( "object" );FORBIDDEN_TAGS.add( "layer" );FORBIDDEN_TAGS.add( "style" );FORBIDDEN_TAGS.add( "meta" );FORBIDDEN_TAGS.add( "iframe" );FORBIDDEN_TAGS.add( "frame" );FORBIDDEN_TAGS.add( "link" );FORBIDDEN_TAGS.add( "import" );FORBIDDEN_TAGS.add( "xml" );}/** * This function is called to determine if an attribute should be filtered or not. *  * @param tagNameThe name of the tag the attribute belongs to * @param attrNameThe name of the attribute to be filtered * @param attrValueThe value of the attribute */public boolean filterAttribute(String tagName, String attrName, String attrValue) {if ( attrName.toLowerCase().startsWith( "on" )) {return true;}return isScriptedAttributeValue( attrValue );}/** * This method is called to determine if a tag should be filtered *  * @param tagNameThe name of the tag that was parsed */public boolean filterTag(String tagName) {if ( FORBIDDEN_TAGS.contains( tagName )) {return true;}return false;}/** * This method is called to modify attribute values, if required *  * @param tagNameThe name of the tag the attribute belongs to * @param attrNameThe name of the attribute within the tag * @param attrValueThe value of the attribute */public String modifyAttributeValue(String tagName, String attrName, String attrValue) {return attrValue;}/** * This method is called to be able to modify the text of a node. *  * @param tagNameThe name of the tag where the text is part of. * @param textThe value of the text within the tagnode (within <tag>...</tag>) */public String modifyNodeText(String tagName, String text) {return text;}/** * Private method that determines if an attribute value is scripted * (potentially loaded with an XSS attack vector). *  * @param attrValueThe value of the attribute * @return "true" if the attribute is scripted. "false" if not. */private boolean isScriptedAttributeValue( String attrValue ) {attrValue = decode( attrValue );attrValue = attrValue.trim().toLowerCase();if ( attrValue.contains( "javascript:" )) {return true;}if ( attrValue.contains( "mocha:" )) {return true;}if ( attrValue.contains( "eval" )) {return true;}if ( attrValue.contains( "vbscript:" )) {return true;}if ( attrValue.contains( "livescript:" )) {return true;}if ( attrValue.contains( "expression(" )) {return true;}if ( attrValue.contains( "url(" )) {return true;}if ( attrValue.contains( "&{" )) {return true;}if ( attrValue.contains( "&#" )) {return true;}return false;}/** * Private method to remove control characters from the value *  * @param valueThe value being modified * @returnThe value free from control characters */private String decode( String value ) {value = value.replace("\u0000", "" );value = value.replace("\u0001", "" );value = value.replace("\u0002", "" );value = value.replace("\u0003", "" );value = value.replace("\u0004", "" );value = value.replace("\u0005", "" );value = value.replace("\u0006", "" );value = value.replace("\u0007", "" );value = value.replace("\u0008", "" );value = value.replace("\u0009", "" );value = value.replace("\n", "" );value = value.replace("\u000B", "" );value = value.replace("\u000C", "" );value = value.replace("\r", "" );value = value.replace("\u000E", "" );value = value.replace("\u000F", "" );value = value.replace("\u0010", "" );value = value.replace("\u0011", "" );value = value.replace("\u0012", "" );value = value.replace("\u0013", "" );value = value.replace("\u0014", "" );value = value.replace("\u0015", "" );value = value.replace("\u0016", "" );value = value.replace("\u0017", "" );value = value.replace("\u0018", "" );value = value.replace("\u0019", "" );value = value.replace("\u001A", "" );value = value.replace("\u001B", "" );value = value.replace("\u001C", "" );value = value.replace("\u001D", "" );value = value.replace("\u001E", "" );value = value.replace("\u001F", "" );return value;}}

通过这个过滤就知道它要做什么了

• xssProtect-0.1.jar (39.8 KB)
• 下载次数: 360

• antlr-3.0.jar (533.7 KB)
• 下载次数: 302

转自：http://liuzidong.iteye.com/blog/1744023