程序博客网 > mac 安装lamp环境

预防XSS攻击,(参数/响应值)特殊字符过滤

来源:互联网 发布:mac 安装lamp环境 编辑:程序博客网 时间:2024/05/14 10:37

一、什么是XSS攻击
XSS是一种经常出现在web应用中的计算机安全漏洞,它允许恶意web用户将代码植入到提供给其它用户使用的页面中。比如这些代码包括HTML代码和客户端脚本。攻击者利用XSS漏洞旁路掉访问控制——例如同源策略(same origin policy)。这种类型的漏洞由于被黑客用来编写危害性更大的网络钓鱼(Phishing)攻击而变得广为人知。对于跨站脚本攻击,黑客界共识是:跨站脚本攻击是新型的“缓冲区溢出攻击“,而JavaScript是新型的“ShellCode”。

二、XSS漏洞的危害
(1)网络钓鱼,包括盗取各类用户账号;
(2)窃取用户cookies资料,从而获取用户隐私信息,或利用用户身份进一步对网站执行操作;
(3)劫持用户(浏览器)会话,从而执行任意操作,例如进行非法转账、强制发表日志、发送电子邮件等;
(4)强制弹出广告页面、刷流量等;
(5)网页挂马;
(6)进行恶意操作,例如任意篡改页面信息、删除文章等;
(7)进行大量的客户端攻击,如DDoS攻击;
(8)获取客户端信息,例如用户的浏览历史、真实IP、开放端口等;
(9)控制受害者机器向其他网站发起攻击;
(10)结合其他漏洞,如CSRF漏洞,实施进一步作恶;
(11)提升用户权限,包括进一步渗透网站;
(12)传播跨站脚本蠕虫等;
……

三、如何编写代码来避免
如下代码可以避免XSS注入,但是作者因知识面有限,故不能保证100%能完全将XSS攻击者拒之门外,还需大家根据实际情况进行优化和改进。
既然我们通过代码来解决问题,就尽可能的不涉及开发人员的对原有代码修改,所以我们增加过滤器来拦截处理,本文原有框架使用springmvc。
1、IllegalCharacterFilter.java

<code class="hljs java has-numbering"><span class="hljs-keyword">package</span> com.lenovo.common.filter;<span class="hljs-keyword">import</span> java.io.IOException;<span class="hljs-keyword">import</span> javax.servlet.Filter;<span class="hljs-keyword">import</span> javax.servlet.FilterChain;<span class="hljs-keyword">import</span> javax.servlet.FilterConfig;<span class="hljs-keyword">import</span> javax.servlet.ServletException;<span class="hljs-keyword">import</span> javax.servlet.ServletRequest;<span class="hljs-keyword">import</span> javax.servlet.ServletResponse;<span class="hljs-keyword">import</span> javax.servlet.http.HttpServletRequest;<span class="hljs-javadoc">/** * 非法字符过滤器,用来处理request.getParamater中的非法字符。如<script>alert('123');</script> *  *<span class="hljs-javadoctag"> @author</span> 单红宇(365384722) *<span class="hljs-javadoctag"> @myblog</span> http://blog.csdn.net/catoop/ *<span class="hljs-javadoctag"> @create</span> 2015年9月18日 */</span><span class="hljs-keyword">public</span> <span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">IllegalCharacterFilter</span> <span class="hljs-keyword">implements</span> <span class="hljs-title">Filter</span> {</span>    <span class="hljs-annotation">@Override</span>    <span class="hljs-keyword">public</span> <span class="hljs-keyword">void</span> <span class="hljs-title">init</span>(FilterConfig filterConfig) <span class="hljs-keyword">throws</span> ServletException {    }    <span class="hljs-annotation">@Override</span>    <span class="hljs-keyword">public</span> <span class="hljs-keyword">void</span> <span class="hljs-title">doFilter</span>(ServletRequest req, ServletResponse res,            FilterChain chain) <span class="hljs-keyword">throws</span> IOException, ServletException {        HttpServletRequest request = (HttpServletRequest)req;        request = <span class="hljs-keyword">new</span> MHttpServletRequest(request);        chain.doFilter(request, res);    }    <span class="hljs-annotation">@Override</span>    <span class="hljs-keyword">public</span> <span class="hljs-keyword">void</span> <span class="hljs-title">destroy</span>() {    }}</code><ul style="display: block;" class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li></ul>

2、MHttpServletRequest.java

<code class="hljs java has-numbering"><span class="hljs-keyword">package</span> com.lenovo.common.filter;<span class="hljs-keyword">import</span> javax.servlet.http.HttpServletRequest;<span class="hljs-keyword">import</span> javax.servlet.http.HttpServletRequestWrapper;<span class="hljs-keyword">import</span> com.lenovo.common.utils.XssShieldUtil;<span class="hljs-javadoc">/** * 参数特殊字符过滤 * *<span class="hljs-javadoctag"> @author</span>   单红宇(365384722) *<span class="hljs-javadoctag"> @myblog</span>  http://blog.csdn.net/catoop/ *<span class="hljs-javadoctag"> @create</span>    2015年9月18日 */</span><span class="hljs-keyword">public</span> <span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">MHttpServletRequest</span> <span class="hljs-keyword">extends</span> <span class="hljs-title">HttpServletRequestWrapper</span> {</span>    <span class="hljs-keyword">public</span> <span class="hljs-title">MHttpServletRequest</span>(HttpServletRequest request) {        <span class="hljs-keyword">super</span>(request);    }    <span class="hljs-annotation">@Override</span>    <span class="hljs-keyword">public</span> String <span class="hljs-title">getParameter</span>(String name) {        <span class="hljs-comment">// 返回值之前 先进行过滤</span>        <span class="hljs-keyword">return</span> XssShieldUtil.stripXss(<span class="hljs-keyword">super</span>.getParameter(name));    }    <span class="hljs-annotation">@Override</span>    <span class="hljs-keyword">public</span> String[] <span class="hljs-title">getParameterValues</span>(String name) {        <span class="hljs-comment">// 返回值之前 先进行过滤</span>        String[] values = <span class="hljs-keyword">super</span>.getParameterValues(name);        <span class="hljs-keyword">if</span>(values != <span class="hljs-keyword">null</span>){            <span class="hljs-keyword">for</span> (<span class="hljs-keyword">int</span> i = <span class="hljs-number">0</span>; i < values.length; i++) {                values[i] = XssShieldUtil.stripXss(values[i]);            }        }        <span class="hljs-keyword">return</span> values;    }}</code><ul style="display: block;" class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li></ul>

3、XssShieldUtil.java

<code class="hljs cs has-numbering">package com.lenovo.common.utils;import java.util.ArrayList;import java.util.List;import java.util.regex.Matcher;import java.util.regex.Pattern;import org.apache.commons.lang.StringUtils;<span class="hljs-comment">/** * 处理非法字符 * * @author   单红宇(365384722) * @myblog  http://blog.csdn.net/catoop/ * @create    2015年9月18日 */</span><span class="hljs-keyword">public</span> <span class="hljs-keyword">class</span> XssShieldUtil {    <span class="hljs-keyword">private</span> <span class="hljs-keyword">static</span> List<Pattern> patterns = <span class="hljs-keyword">null</span>;    <span class="hljs-keyword">private</span> <span class="hljs-keyword">static</span> List<Object[]> <span class="hljs-title">getXssPatternList</span>() {        List<Object[]> ret = <span class="hljs-keyword">new</span> ArrayList<Object[]>();        ret.add(<span class="hljs-keyword">new</span> Object[]{<span class="hljs-string">"<(no)?script[^>]*>.*?</(no)?script>"</span>, Pattern.CASE_INSENSITIVE});        ret.add(<span class="hljs-keyword">new</span> Object[]{<span class="hljs-string">"eval\\((.*?)\\)"</span>, Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});        ret.add(<span class="hljs-keyword">new</span> Object[]{<span class="hljs-string">"expression\\((.*?)\\)"</span>, Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});        ret.add(<span class="hljs-keyword">new</span> Object[]{<span class="hljs-string">"(javascript:|vbscript:|view-source:)*"</span>, Pattern.CASE_INSENSITIVE});        ret.add(<span class="hljs-keyword">new</span> Object[]{<span class="hljs-string">"<(\"[^\"]*\"|\'[^\']*\'|[^\'\">])*>"</span>, Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});        ret.add(<span class="hljs-keyword">new</span> Object[]{<span class="hljs-string">"(window\\.location|window\\.|\\.location|document\\.cookie|document\\.|alert\\(.*?\\)|window\\.open\\()*"</span>, Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});        ret.add(<span class="hljs-keyword">new</span> Object[]{<span class="hljs-string">"<+\\s*\\w*\\s*(oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror=|onerroupdate|onfilterchange|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmousout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onabort|onactivate|onafterprint|onafterupdate|onbefore|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload)+\\s*=+"</span>, Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL});        <span class="hljs-keyword">return</span> ret;    }    <span class="hljs-keyword">private</span> <span class="hljs-keyword">static</span> List<Pattern> <span class="hljs-title">getPatterns</span>() {        <span class="hljs-keyword">if</span> (patterns == <span class="hljs-keyword">null</span>) {            List<Pattern> list = <span class="hljs-keyword">new</span> ArrayList<Pattern>();            String regex = <span class="hljs-keyword">null</span>;            Integer flag = <span class="hljs-keyword">null</span>;            <span class="hljs-keyword">int</span> arrLength = <span class="hljs-number">0</span>;            <span class="hljs-keyword">for</span>(Object[] arr : getXssPatternList()) {                arrLength = arr.length;                <span class="hljs-keyword">for</span>(<span class="hljs-keyword">int</span> i = <span class="hljs-number">0</span>; i < arrLength; i++) {                    regex = (String)arr[<span class="hljs-number">0</span>];                    flag = (Integer)arr[<span class="hljs-number">1</span>];                    list.add(Pattern.compile(regex, flag));                }            }            patterns = list;        }        <span class="hljs-keyword">return</span> patterns;    }    <span class="hljs-keyword">public</span> <span class="hljs-keyword">static</span> String <span class="hljs-title">stripXss</span>(String <span class="hljs-keyword">value</span>) {        <span class="hljs-keyword">if</span>(StringUtils.isNotBlank(<span class="hljs-keyword">value</span>)) {            Matcher matcher = <span class="hljs-keyword">null</span>;            <span class="hljs-keyword">for</span>(Pattern pattern : getPatterns()) {                matcher = pattern.matcher(<span class="hljs-keyword">value</span>);                <span class="hljs-comment">//해당하는 패턴이 있으면</span>                <span class="hljs-keyword">if</span>(matcher.find()) {                    <span class="hljs-comment">//해당 문자열 제거</span>                    <span class="hljs-keyword">value</span> = matcher.replaceAll(<span class="hljs-string">""</span>);                }            }            <span class="hljs-keyword">value</span> = <span class="hljs-keyword">value</span>.replaceAll(<span class="hljs-string">"<"</span>, <span class="hljs-string">"&lt;"</span>).replaceAll(<span class="hljs-string">">"</span>, <span class="hljs-string">"&gt;"</span>);        }<span class="hljs-comment">//      if (LOG.isDebugEnabled())</span><span class="hljs-comment">//          LOG.debug("strip value: " + value);</span>        <span class="hljs-keyword">return</span> <span class="hljs-keyword">value</span>;    }    <span class="hljs-keyword">public</span> <span class="hljs-keyword">static</span> <span class="hljs-keyword">void</span> <span class="hljs-title">main</span>(String[] args) {        String <span class="hljs-keyword">value</span> = <span class="hljs-keyword">null</span>;        <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<script language=text/javascript>alert(document.cookie);</script>"</span>);        System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-1: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>);        <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<script src='' onerror='alert(document.cookie)'></script>"</span>);        System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-2: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>);        <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"</script>"</span>);        System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-3: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>);        <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">" eval(abc);"</span>);        System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-4: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>);        <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">" expression(abc);"</span>);        System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-5: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>);        <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<img src='' onerror='alert(document.cookie);'></img>"</span>);        System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-6: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>);        <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<img src='' onerror='alert(document.cookie);'/>"</span>);        System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-7: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>);        <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<img src='' onerror='alert(document.cookie);'>"</span>);        System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-8: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>);        <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<script language=text/javascript>alert(document.cookie);"</span>);        System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-9: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>);        <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<script>window.location='url'"</span>);        System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-10: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>);        <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">" onload='alert(\"abc\");"</span>);        System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-11: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>);        <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<img src=x<!--'<\"-->>"</span>);        System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-12: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>);        <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<=img onstop="</span>);        System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-13: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>);    }}</code><ul style="display: block;" class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li><li>46</li><li>47</li><li>48</li><li>49</li><li>50</li><li>51</li><li>52</li><li>53</li><li>54</li><li>55</li><li>56</li><li>57</li><li>58</li><li>59</li><li>60</li><li>61</li><li>62</li><li>63</li><li>64</li><li>65</li><li>66</li><li>67</li><li>68</li><li>69</li><li>70</li><li>71</li><li>72</li><li>73</li><li>74</li><li>75</li><li>76</li><li>77</li><li>78</li><li>79</li><li>80</li><li>81</li><li>82</li><li>83</li><li>84</li><li>85</li><li>86</li><li>87</li><li>88</li><li>89</li><li>90</li><li>91</li><li>92</li><li>93</li><li>94</li><li>95</li><li>96</li><li>97</li><li>98</li><li>99</li><li>100</li><li>101</li><li>102</li><li>103</li><li>104</li><li>105</li><li>106</li><li>107</li><li>108</li><li>109</li><li>110</li><li>111</li><li>112</li><li>113</li><li>114</li><li>115</li><li>116</li><li>117</li><li>118</li><li>119</li><li>120</li><li>121</li><li>122</li><li>123</li><li>124</li><li>125</li><li>126</li><li>127</li><li>128</li></ul>

4、web.xml 配置

<code class="hljs xml has-numbering">    <span class="hljs-comment"><!-- 非法参数过滤器 --></span>    <span class="hljs-tag"><<span class="hljs-title">filter</span>></span>        <span class="hljs-tag"><<span class="hljs-title">filter-name</span>></span>IllegalCharacterFilter<span class="hljs-tag"></<span class="hljs-title">filter-name</span>></span>        <span class="hljs-tag"><<span class="hljs-title">filter-class</span>></span>com.lenovo.common.filter.IllegalCharacterFilter<span class="hljs-tag"></<span class="hljs-title">filter-class</span>></span>    <span class="hljs-tag"></<span class="hljs-title">filter</span>></span>    <span class="hljs-tag"><<span class="hljs-title">filter-mapping</span>></span>        <span class="hljs-tag"><<span class="hljs-title">filter-name</span>></span>IllegalCharacterFilter<span class="hljs-tag"></<span class="hljs-title">filter-name</span>></span>        <span class="hljs-tag"><<span class="hljs-title">url-pattern</span>></span>*.do<span class="hljs-tag"></<span class="hljs-title">url-pattern</span>></span>    <span class="hljs-tag"></<span class="hljs-title">filter-mapping</span>></span></code>
0 0
mac 安装lamp环境 mac 安装lamp环境
原创粉丝点击
热门IT博客
反电信网络诈骗黑板报反电信网络诈骗黑板报
日本心神战斗机 知乎日本心神战斗机 知乎
大闸蟹品牌 知乎
php pop3发送邮件
路由器监视软件
淘宝冻结账号解冻中心
矩阵的奇异值定义
华为手机连接电脑软件
双十一前淘宝生意差
哪种抢票软件好
男科网络预约挂号平台
淘宝怎么有付费流量
mac版ps
有个性淘宝店头像图片
专业cd刻录软件
客服淘宝女装回复技巧
淘宝客服的职责
微信生成器软件
javascript 页面刷新
外汇储备最新数据
热门问题 老师的惩罚 人脸识别 我在镇武司摸鱼那些年 重生之率土为王 我在大康的咸鱼生活 盘龙之生命进化 天生仙种 凡人之先天五行 春回大明朝 姑娘不必设防,我是瞎子 秦桧怎么死的 秦桧正确读音 秦桧读hui还是kuai 秦桧为什么要害岳飞 秦桧后人今何在 历史上真实的秦桧 秦椒 秦椒图片 沈吉祥秦楚 手机秦楚网 秦楚古道 秦楚琛 霍眠秦楚 秦楚网中考 秦楚琛沈吉祥免费 沈吉祥秦楚深 终南山秦楚古道旅游 秦楚琛沈如意 沈吉祥和秦楚琛 秦楚深沈吉祥 秦楚网手机版 沈吉祥秦楚堔 柞水秦楚古道酒店 十堰秦楚网招聘信息 秦楚网天天信息 柞水终南山秦楚古道门票 秦歌 顾寒洲秦歌 秦歌顾寒洲 秦歌一曲 秦歌沈寒 沈寒秦歌 秦歌顾寒州 顾寒州秦歌全文免费阅读 秦歌和顾寒洲免费阅读 秦歌傅言殇全文目录 秦歌沈寒免费阅读目录 傅言殇秦歌全文阅读 秦歌与顾韩洲免费阅读 秦歌傅言殇全文免费 秦歌傅言殇全文150章

程序博客网,程序员的互联网技术博客家园。csdn论坛精品 msdn技术资料都在这里