Java Filter过滤xss注入非法参数的方法
来源:互联网 发布:pdf创建软件 编辑:程序博客网 时间:2024/06/06 14:11
web.xml:
<filter> <filter-name>XSSFiler</filter-name> <filter-class> com.paic.mall.web.filter.XssSecurityFilter </filter-class> </filter> <filter-mapping> <filter-name>XSSFiler</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping> <filter-mapping> <filter-name>XSSFiler</filter-name> <url-pattern>*.do</url-pattern> </filter-mapping> <filter-mapping> <filter-name>XSSFiler</filter-name> <url-pattern>*.screen</url-pattern> </filter-mapping> <filter-mapping> <filter-name>XSSFiler</filter-name> <url-pattern>*.shtml</url-pattern> </filter-mapping> <filter-mapping> <filter-name>XSSFiler</filter-name> <servlet-name>dispatcher</servlet-name> </filter-mapping>
XssSecurityFilter.java
public class XssSecurityFilter implements Filter {protected final Logger log = Logger.getLogger(this.getClass());public void init(FilterConfig config) throws ServletException {if(log.isInfoEnabled()){log.info("XSSSecurityFilter Initializing ");}}/** * 销毁操作 */public void destroy() {if(log.isInfoEnabled()){log.info("XSSSecurityFilter destroy() end");}}public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException {HttpServletRequest httpRequest = (HttpServletRequest)request; XssHttpRequestWrapper xssRequest = new XssHttpRequestWrapper(httpRequest); httpRequest = XssSecurityManager.wrapRequest(xssRequest);chain.doFilter(xssRequest, response);}}
XssHttpRequestWrapper.java
/** * @author * @date * @describe 主要是对参数进行xss过滤,替换原始的request的getParameter相关功能 * 线程不安全 * */public class XssHttpRequestWrapper extends HttpServletRequestWrapper {protected Map parameters;/** * 封装http请求 * * @param request */public XssHttpRequestWrapper(HttpServletRequest request) {super(request);}@Overridepublic void setCharacterEncoding(String enc)throws UnsupportedEncodingException {super.setCharacterEncoding(enc);//当编码重新设置时,重新加载重新过滤缓存。refiltParams();}void refiltParams(){parameters=null;}@Overridepublic String getParameter(String string) {String strList[] = getParameterValues(string);if (strList != null && strList.length > 0)return strList[0];elsereturn null;}@Overridepublic String[] getParameterValues(String string) {if (parameters == null) {paramXssFilter();}return (String[]) parameters.get(string);}@Overridepublic Map getParameterMap() {if (parameters == null) {paramXssFilter();}return parameters;}/** * * 校验参数,若含xss漏洞的字符,进行替换 */private void paramXssFilter() {parameters = getRequest().getParameterMap();XssSecurityManager.filtRequestParams(parameters, this.getServletPath());}}
XssSecurityManager.java
/** * @author * @date * @describe 安全过滤配置管理类,统一替换可能造成XSS漏洞的字符为中文字符 */public class XssSecurityManager {private static Logger log = Logger.getLogger(XssSecurityManager.class);// 危险的javascript:关键字j av a scriptprivate final static Pattern[] DANGEROUS_TOKENS = new Pattern[] { Pattern.compile("^j\\s*a\\s*v\\s*a\\s*s\\s*c\\s*r\\s*i\\s*p\\s*t\\s*:",Pattern.CASE_INSENSITIVE) };// javascript:替换字符串(全角中文字符)private final static String[] DANGEROUS_TOKEN_REPLACEMENTS = new String[] { "JAVASCRIPT:" };// 非法的字符集private static final char[] INVALID_CHARS = new char[] { '<', '>', '\'','\"', '\\' };// 统一替换可能造成XSS漏洞的字符为全角中文字符private static final char[] VALID_CHARS = new char[] { '<', '>', '’', '“','\' };// 开启xss过滤功能开关public static boolean enable=false;// url-patternMap(符合条件的url-param进行xss过滤)<String ArrayList>public static Map urlPatternMap = new HashMap();private static HashSet excludeUris=new HashSet();private XssSecurityManager() {// 不可被实例化}static {init();}private static void init() {try {String xssConfig = "/xss_security_config.xml";if(log.isDebugEnabled()){log.debug("XSS config file["+xssConfig+"] init...");}InputStream is = XssSecurityManager.class.getResourceAsStream(xssConfig);if (is == null) {log.warn("XSS config file["+xssConfig+"] not found.");}else{// 初始化过滤配置文件initConfig(is);log.info("XSS config file["+xssConfig+"] init completed.");}}catch (Exception e) {log.error("XSS config file init fail:"+e.getMessage(), e);}}private static void initConfig(InputStream is) throws Exception{DocumentBuilderFactory factory=DocumentBuilderFactory.newInstance();DocumentBuilder builder=factory.newDocumentBuilder();Element root = builder.parse(is).getDocumentElement();//-------------------NodeList nl=root.getElementsByTagName("enable");Node n=null;if(nl!=null && nl.getLength()>0){n=((org.w3c.dom.Element)nl.item(0)).getFirstChild();}if(n!=null){enable = new Boolean(n.getNodeValue().trim()).booleanValue();}log.info("XSS switch="+enable);//-------------------------nl=root.getElementsByTagName("filter-mapping");NodeList urlPatternNodes=null;if(nl!=null && nl.getLength()>0){Element el=(Element)nl.item(0);urlPatternNodes=el.getElementsByTagName("url-pattern");//-----------------------------------------------------NodeList nl2=el.getElementsByTagName("exclude-url");if(nl2!=null && nl2.getLength()>0){for(int i=0;i<nl2.getLength();i++){Element e=(Element)urlPatternNodes.item(i);Node paramNode=e.getFirstChild();if(paramNode!=null){String paramName=paramNode.getNodeValue().trim();if(paramName.length()>0){excludeUris.add(paramName.toLowerCase());}}}}}//----------------------if(urlPatternNodes!=null && urlPatternNodes.getLength()>0){for(int i=0;i<urlPatternNodes.getLength();i++){Element e=(Element)urlPatternNodes.item(i);String urlPattern=e.getAttribute("value");if(urlPattern!=null && (urlPattern=urlPattern.trim()).length()>0){List filtParamList = new ArrayList(2);if(log.isDebugEnabled()){log.debug("Xss filter mapping:"+urlPattern);}//-------------------------------NodeList temp=e.getElementsByTagName("include-param");if(temp!=null && temp.getLength()>0){for(int m=0;m<temp.getLength();m++){Node paramNode=(temp.item(m)).getFirstChild();if(paramNode!=null){String paramName=paramNode.getNodeValue().trim();if(paramName.length()>0){filtParamList.add(paramName);}}}}//一定得将url转换为小写urlPatternMap.put(urlPattern.toLowerCase(), filtParamList);}}}//----------------------}public static HttpServletRequest wrapRequest(HttpServletRequest httpRequest){if(httpRequest instanceof XssHttpRequestWrapper){// log.info("httpRequest instanceof XssHttpRequestWrapper");//include/forword指令会重新进入此FilterXssHttpRequestWrapper temp=(XssHttpRequestWrapper)httpRequest;//include指令会增加参数,这里需要清理掉缓存temp.refiltParams();return temp;}else{// log.info("httpRequest is not instanceof XssHttpRequestWrapper");return httpRequest;}}public static List getFiltParamNames(String url){//获取需要xss过滤的参数url = url.toLowerCase();List paramNameList = (ArrayList) urlPatternMap.get(url);if(paramNameList==null || paramNameList.size()==0){return null;}return paramNameList;}public static void filtRequestParams(Map params,String servletPath){long t1=System.currentTimeMillis();//得到需要过滤的参数名列表,如果列表是空的,则表示过滤所有参数List filtParamNames=XssSecurityManager.getFiltParamNames(servletPath);filtRequestParams(params, filtParamNames);}public static void filtRequestParams(Map params,List filtParamNames){// 获取当前参数集Set parameterNames = params.keySet();Iterator it = parameterNames.iterator();//得到需要过滤的参数名列表,如果列表是空的,则表示过滤所有参数while (it.hasNext()) {String paramName = (String) it.next();if(filtParamNames==null || filtParamNames.contains(paramName) ){ String[] values = (String[])params.get(paramName); proceedXss(values);}}}/** * 对参数进行防止xss漏洞处理 * * @param value * @return */private static void proceedXss(String[] values) {for (int i = 0; i < values.length; ++i) {String value = values[i];if (!isNullStr(value)) {values[i] = replaceSpecialChars(values[i]);}}}/** * 替换非法字符以及危险关键字 * * @param str * @return */private static String replaceSpecialChars(String str) {for (int j = 0; j < INVALID_CHARS.length; ++j) {if (str.indexOf(INVALID_CHARS[j]) >= 0) {str = str.replace(INVALID_CHARS[j], VALID_CHARS[j]);}}str=str.trim();for (int i = 0; i < DANGEROUS_TOKENS.length; ++i) {str = DANGEROUS_TOKENS[i].matcher(str).replaceAll(DANGEROUS_TOKEN_REPLACEMENTS[i]);}return str;}/** * 判断是否为空串,建议放到某个工具类中 * * @param value * @return */private static boolean isNullStr(String value) {return value == null || value.trim().length()==0;}public static void main(String args[]) throws Exception{Map datas=new HashMap();String paramName="test";datas.put(paramName,new String[]{ "Javascript:<script>alert('yes');</script>"});filtRequestParams(datas,"/test/sample.do");System.out.println(((String[])datas.get(paramName))[0]);}}
2 0
- Java Filter过滤xss注入非法参数的方法
- Java Filter过滤xss注入非法参数的方法
- Java Filter过滤XSS注入非法参数
- 防止常见XSS 过滤 SQL注入 JAVA过滤器filter
- XSS注入方式和逃避XSS过滤的常用方法
- php:输入值/表单提交参数过滤,防止sql注入或非法攻击的方法
- 防止SQL注入,过滤非法字符的方法
- java过滤请求参数中的非法字符,防止XSS攻击、SQL盲注等
- java处理XSS过滤的方法
- 常见web漏洞——防止常见XSS 过滤 SQL注入 JAVA过滤器filter
- Filter过滤非法字符
- java过滤有可能的xss攻击的参数
- SQL防注入-----恶意或者说是非法的SQL参数过滤 !
- SpringMVC 过滤参数的非法字符
- java 防止xss攻击 通过filter的方法
- java 防止xss攻击 通过filter的方法(推荐)
- 过滤sql中非法字符防注入式攻击方法
- 过滤非法字符的简单方法
- xxxHive-错误总结
- ssh省去重复输入密码
- 30分钟LINQ教程
- shell编程基础(4)case 与 function
- SpringMVC入门实例及详细讲解
- Java Filter过滤xss注入非法参数的方法
- Android : 自定义上拉加载的ListView
- 【第三章】 DI 之 3.2 循环依赖 ——跟我学spring3
- linux 内存管理
- android fragment setUserVisibleHint方法的使用
- Selenium WebDriver的简单操作说明
- 读懂Java中的Socket编程
- Tomcat7+Redis存储Session
- IOS开发语言Swift入门连载---嵌套类型