预防XSS攻击,(参数/响应值)特殊字符过滤
来源:互联网 发布:mac 安装lamp环境 编辑:程序博客网 时间:2024/05/14 10:37
一、什么是XSS攻击
XSS是一种经常出现在web应用中的计算机安全漏洞,它允许恶意web用户将代码植入到提供给其它用户使用的页面中。比如这些代码包括HTML代码和客户端脚本。攻击者利用XSS漏洞旁路掉访问控制——例如同源策略(same origin policy)。这种类型的漏洞由于被黑客用来编写危害性更大的网络钓鱼(Phishing)攻击而变得广为人知。对于跨站脚本攻击,黑客界共识是:跨站脚本攻击是新型的“缓冲区溢出攻击“,而JavaScript是新型的“ShellCode”。
二、XSS漏洞的危害
(1)网络钓鱼,包括盗取各类用户账号;
(2)窃取用户cookies资料,从而获取用户隐私信息,或利用用户身份进一步对网站执行操作;
(3)劫持用户(浏览器)会话,从而执行任意操作,例如进行非法转账、强制发表日志、发送电子邮件等;
(4)强制弹出广告页面、刷流量等;
(5)网页挂马;
(6)进行恶意操作,例如任意篡改页面信息、删除文章等;
(7)进行大量的客户端攻击,如DDoS攻击;
(8)获取客户端信息,例如用户的浏览历史、真实IP、开放端口等;
(9)控制受害者机器向其他网站发起攻击;
(10)结合其他漏洞,如CSRF漏洞,实施进一步作恶;
(11)提升用户权限,包括进一步渗透网站;
(12)传播跨站脚本蠕虫等;
……
三、如何编写代码来避免
如下代码可以避免XSS注入,但是作者因知识面有限,故不能保证100%能完全将XSS攻击者拒之门外,还需大家根据实际情况进行优化和改进。
既然我们通过代码来解决问题,就尽可能的不涉及开发人员的对原有代码修改,所以我们增加过滤器来拦截处理,本文原有框架使用springmvc。
1、IllegalCharacterFilter.java
<code class="hljs java has-numbering"><span class="hljs-keyword">package</span> com.lenovo.common.filter;<span class="hljs-keyword">import</span> java.io.IOException;<span class="hljs-keyword">import</span> javax.servlet.Filter;<span class="hljs-keyword">import</span> javax.servlet.FilterChain;<span class="hljs-keyword">import</span> javax.servlet.FilterConfig;<span class="hljs-keyword">import</span> javax.servlet.ServletException;<span class="hljs-keyword">import</span> javax.servlet.ServletRequest;<span class="hljs-keyword">import</span> javax.servlet.ServletResponse;<span class="hljs-keyword">import</span> javax.servlet.http.HttpServletRequest;<span class="hljs-javadoc">/** * 非法字符过滤器,用来处理request.getParamater中的非法字符。如<script>alert('123');</script> * *<span class="hljs-javadoctag"> @author</span> 单红宇(365384722) *<span class="hljs-javadoctag"> @myblog</span> http://blog.csdn.net/catoop/ *<span class="hljs-javadoctag"> @create</span> 2015年9月18日 */</span><span class="hljs-keyword">public</span> <span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">IllegalCharacterFilter</span> <span class="hljs-keyword">implements</span> <span class="hljs-title">Filter</span> {</span> <span class="hljs-annotation">@Override</span> <span class="hljs-keyword">public</span> <span class="hljs-keyword">void</span> <span class="hljs-title">init</span>(FilterConfig filterConfig) <span class="hljs-keyword">throws</span> ServletException { } <span class="hljs-annotation">@Override</span> <span class="hljs-keyword">public</span> <span class="hljs-keyword">void</span> <span class="hljs-title">doFilter</span>(ServletRequest req, ServletResponse res, FilterChain chain) <span class="hljs-keyword">throws</span> IOException, ServletException { HttpServletRequest request = (HttpServletRequest)req; request = <span class="hljs-keyword">new</span> MHttpServletRequest(request); chain.doFilter(request, res); } <span class="hljs-annotation">@Override</span> <span class="hljs-keyword">public</span> <span class="hljs-keyword">void</span> <span class="hljs-title">destroy</span>() { }}</code><ul style="display: block;" class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li></ul>
2、MHttpServletRequest.java
<code class="hljs java has-numbering"><span class="hljs-keyword">package</span> com.lenovo.common.filter;<span class="hljs-keyword">import</span> javax.servlet.http.HttpServletRequest;<span class="hljs-keyword">import</span> javax.servlet.http.HttpServletRequestWrapper;<span class="hljs-keyword">import</span> com.lenovo.common.utils.XssShieldUtil;<span class="hljs-javadoc">/** * 参数特殊字符过滤 * *<span class="hljs-javadoctag"> @author</span> 单红宇(365384722) *<span class="hljs-javadoctag"> @myblog</span> http://blog.csdn.net/catoop/ *<span class="hljs-javadoctag"> @create</span> 2015年9月18日 */</span><span class="hljs-keyword">public</span> <span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">MHttpServletRequest</span> <span class="hljs-keyword">extends</span> <span class="hljs-title">HttpServletRequestWrapper</span> {</span> <span class="hljs-keyword">public</span> <span class="hljs-title">MHttpServletRequest</span>(HttpServletRequest request) { <span class="hljs-keyword">super</span>(request); } <span class="hljs-annotation">@Override</span> <span class="hljs-keyword">public</span> String <span class="hljs-title">getParameter</span>(String name) { <span class="hljs-comment">// 返回值之前 先进行过滤</span> <span class="hljs-keyword">return</span> XssShieldUtil.stripXss(<span class="hljs-keyword">super</span>.getParameter(name)); } <span class="hljs-annotation">@Override</span> <span class="hljs-keyword">public</span> String[] <span class="hljs-title">getParameterValues</span>(String name) { <span class="hljs-comment">// 返回值之前 先进行过滤</span> String[] values = <span class="hljs-keyword">super</span>.getParameterValues(name); <span class="hljs-keyword">if</span>(values != <span class="hljs-keyword">null</span>){ <span class="hljs-keyword">for</span> (<span class="hljs-keyword">int</span> i = <span class="hljs-number">0</span>; i < values.length; i++) { values[i] = XssShieldUtil.stripXss(values[i]); } } <span class="hljs-keyword">return</span> values; }}</code><ul style="display: block;" class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li></ul>
3、XssShieldUtil.java
<code class="hljs cs has-numbering">package com.lenovo.common.utils;import java.util.ArrayList;import java.util.List;import java.util.regex.Matcher;import java.util.regex.Pattern;import org.apache.commons.lang.StringUtils;<span class="hljs-comment">/** * 处理非法字符 * * @author 单红宇(365384722) * @myblog http://blog.csdn.net/catoop/ * @create 2015年9月18日 */</span><span class="hljs-keyword">public</span> <span class="hljs-keyword">class</span> XssShieldUtil { <span class="hljs-keyword">private</span> <span class="hljs-keyword">static</span> List<Pattern> patterns = <span class="hljs-keyword">null</span>; <span class="hljs-keyword">private</span> <span class="hljs-keyword">static</span> List<Object[]> <span class="hljs-title">getXssPatternList</span>() { List<Object[]> ret = <span class="hljs-keyword">new</span> ArrayList<Object[]>(); ret.add(<span class="hljs-keyword">new</span> Object[]{<span class="hljs-string">"<(no)?script[^>]*>.*?</(no)?script>"</span>, Pattern.CASE_INSENSITIVE}); ret.add(<span class="hljs-keyword">new</span> Object[]{<span class="hljs-string">"eval\\((.*?)\\)"</span>, Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL}); ret.add(<span class="hljs-keyword">new</span> Object[]{<span class="hljs-string">"expression\\((.*?)\\)"</span>, Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL}); ret.add(<span class="hljs-keyword">new</span> Object[]{<span class="hljs-string">"(javascript:|vbscript:|view-source:)*"</span>, Pattern.CASE_INSENSITIVE}); ret.add(<span class="hljs-keyword">new</span> Object[]{<span class="hljs-string">"<(\"[^\"]*\"|\'[^\']*\'|[^\'\">])*>"</span>, Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL}); ret.add(<span class="hljs-keyword">new</span> Object[]{<span class="hljs-string">"(window\\.location|window\\.|\\.location|document\\.cookie|document\\.|alert\\(.*?\\)|window\\.open\\()*"</span>, Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL}); ret.add(<span class="hljs-keyword">new</span> Object[]{<span class="hljs-string">"<+\\s*\\w*\\s*(oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror=|onerroupdate|onfilterchange|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmousout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onabort|onactivate|onafterprint|onafterupdate|onbefore|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload)+\\s*=+"</span>, Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL}); <span class="hljs-keyword">return</span> ret; } <span class="hljs-keyword">private</span> <span class="hljs-keyword">static</span> List<Pattern> <span class="hljs-title">getPatterns</span>() { <span class="hljs-keyword">if</span> (patterns == <span class="hljs-keyword">null</span>) { List<Pattern> list = <span class="hljs-keyword">new</span> ArrayList<Pattern>(); String regex = <span class="hljs-keyword">null</span>; Integer flag = <span class="hljs-keyword">null</span>; <span class="hljs-keyword">int</span> arrLength = <span class="hljs-number">0</span>; <span class="hljs-keyword">for</span>(Object[] arr : getXssPatternList()) { arrLength = arr.length; <span class="hljs-keyword">for</span>(<span class="hljs-keyword">int</span> i = <span class="hljs-number">0</span>; i < arrLength; i++) { regex = (String)arr[<span class="hljs-number">0</span>]; flag = (Integer)arr[<span class="hljs-number">1</span>]; list.add(Pattern.compile(regex, flag)); } } patterns = list; } <span class="hljs-keyword">return</span> patterns; } <span class="hljs-keyword">public</span> <span class="hljs-keyword">static</span> String <span class="hljs-title">stripXss</span>(String <span class="hljs-keyword">value</span>) { <span class="hljs-keyword">if</span>(StringUtils.isNotBlank(<span class="hljs-keyword">value</span>)) { Matcher matcher = <span class="hljs-keyword">null</span>; <span class="hljs-keyword">for</span>(Pattern pattern : getPatterns()) { matcher = pattern.matcher(<span class="hljs-keyword">value</span>); <span class="hljs-comment">//해당하는 패턴이 있으면</span> <span class="hljs-keyword">if</span>(matcher.find()) { <span class="hljs-comment">//해당 문자열 제거</span> <span class="hljs-keyword">value</span> = matcher.replaceAll(<span class="hljs-string">""</span>); } } <span class="hljs-keyword">value</span> = <span class="hljs-keyword">value</span>.replaceAll(<span class="hljs-string">"<"</span>, <span class="hljs-string">"<"</span>).replaceAll(<span class="hljs-string">">"</span>, <span class="hljs-string">">"</span>); }<span class="hljs-comment">// if (LOG.isDebugEnabled())</span><span class="hljs-comment">// LOG.debug("strip value: " + value);</span> <span class="hljs-keyword">return</span> <span class="hljs-keyword">value</span>; } <span class="hljs-keyword">public</span> <span class="hljs-keyword">static</span> <span class="hljs-keyword">void</span> <span class="hljs-title">main</span>(String[] args) { String <span class="hljs-keyword">value</span> = <span class="hljs-keyword">null</span>; <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<script language=text/javascript>alert(document.cookie);</script>"</span>); System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-1: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>); <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<script src='' onerror='alert(document.cookie)'></script>"</span>); System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-2: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>); <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"</script>"</span>); System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-3: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>); <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">" eval(abc);"</span>); System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-4: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>); <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">" expression(abc);"</span>); System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-5: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>); <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<img src='' onerror='alert(document.cookie);'></img>"</span>); System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-6: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>); <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<img src='' onerror='alert(document.cookie);'/>"</span>); System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-7: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>); <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<img src='' onerror='alert(document.cookie);'>"</span>); System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-8: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>); <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<script language=text/javascript>alert(document.cookie);"</span>); System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-9: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>); <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<script>window.location='url'"</span>); System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-10: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>); <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">" onload='alert(\"abc\");"</span>); System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-11: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>); <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<img src=x<!--'<\"-->>"</span>); System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-12: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>); <span class="hljs-keyword">value</span> = XssShieldUtil.stripXss(<span class="hljs-string">"<=img onstop="</span>); System.<span class="hljs-keyword">out</span>.println(<span class="hljs-string">"type-13: '"</span> + <span class="hljs-keyword">value</span> + <span class="hljs-string">"'"</span>); }}</code><ul style="display: block;" class="pre-numbering"><li>1</li><li>2</li><li>3</li><li>4</li><li>5</li><li>6</li><li>7</li><li>8</li><li>9</li><li>10</li><li>11</li><li>12</li><li>13</li><li>14</li><li>15</li><li>16</li><li>17</li><li>18</li><li>19</li><li>20</li><li>21</li><li>22</li><li>23</li><li>24</li><li>25</li><li>26</li><li>27</li><li>28</li><li>29</li><li>30</li><li>31</li><li>32</li><li>33</li><li>34</li><li>35</li><li>36</li><li>37</li><li>38</li><li>39</li><li>40</li><li>41</li><li>42</li><li>43</li><li>44</li><li>45</li><li>46</li><li>47</li><li>48</li><li>49</li><li>50</li><li>51</li><li>52</li><li>53</li><li>54</li><li>55</li><li>56</li><li>57</li><li>58</li><li>59</li><li>60</li><li>61</li><li>62</li><li>63</li><li>64</li><li>65</li><li>66</li><li>67</li><li>68</li><li>69</li><li>70</li><li>71</li><li>72</li><li>73</li><li>74</li><li>75</li><li>76</li><li>77</li><li>78</li><li>79</li><li>80</li><li>81</li><li>82</li><li>83</li><li>84</li><li>85</li><li>86</li><li>87</li><li>88</li><li>89</li><li>90</li><li>91</li><li>92</li><li>93</li><li>94</li><li>95</li><li>96</li><li>97</li><li>98</li><li>99</li><li>100</li><li>101</li><li>102</li><li>103</li><li>104</li><li>105</li><li>106</li><li>107</li><li>108</li><li>109</li><li>110</li><li>111</li><li>112</li><li>113</li><li>114</li><li>115</li><li>116</li><li>117</li><li>118</li><li>119</li><li>120</li><li>121</li><li>122</li><li>123</li><li>124</li><li>125</li><li>126</li><li>127</li><li>128</li></ul>
4、web.xml 配置
<code class="hljs xml has-numbering"> <span class="hljs-comment"><!-- 非法参数过滤器 --></span> <span class="hljs-tag"><<span class="hljs-title">filter</span>></span> <span class="hljs-tag"><<span class="hljs-title">filter-name</span>></span>IllegalCharacterFilter<span class="hljs-tag"></<span class="hljs-title">filter-name</span>></span> <span class="hljs-tag"><<span class="hljs-title">filter-class</span>></span>com.lenovo.common.filter.IllegalCharacterFilter<span class="hljs-tag"></<span class="hljs-title">filter-class</span>></span> <span class="hljs-tag"></<span class="hljs-title">filter</span>></span> <span class="hljs-tag"><<span class="hljs-title">filter-mapping</span>></span> <span class="hljs-tag"><<span class="hljs-title">filter-name</span>></span>IllegalCharacterFilter<span class="hljs-tag"></<span class="hljs-title">filter-name</span>></span> <span class="hljs-tag"><<span class="hljs-title">url-pattern</span>></span>*.do<span class="hljs-tag"></<span class="hljs-title">url-pattern</span>></span> <span class="hljs-tag"></<span class="hljs-title">filter-mapping</span>></span></code>
- 预防XSS攻击,(参数/响应值)特殊字符过滤
- 预防XSS攻击,(参数/响应值)特殊字符过滤
- 预防XSS攻击,(参数/响应值)特殊字符过滤
- 预防XSS攻击,(参数/响应值)特殊字符过滤
- xss过滤特殊字符
- .htaccess实际运用案例之过滤URL特殊字符,防止XSS攻击
- 利用简单的过滤器 过滤特殊字符实现 防止XSS攻击
- 利用简单的过滤器 过滤特殊字符实现 防止XSS攻击
- XSS攻击预防
- 预防XSS漏洞攻击
- 预防xss攻击
- 如何预防 XSS 攻击?
- java过滤请求参数中的非法字符,防止XSS攻击、SQL盲注等
- 过滤sql特殊字符及预防sql注射
- golang web xss攻击预防
- XSS攻击以及PHP预防
- XSS攻击的过滤
- PHP过滤XSS攻击
- 用eclipse创建maven项目老是出现这个错误 'Creating maven-archetype-quickstart' has encountered
- Xamarin学习笔记
- iOS的UDID废用以及UUID配合keychain的替换方案实现
- linux指令--ls
- 设计模式学习---单例模式
- 预防XSS攻击,(参数/响应值)特殊字符过滤
- 用C写一个顺序表的简单操作
- Swift学习初探——一些常用的但与OC区别很大的用法
- Linux中opendir的函数结构体详解
- 哪些公认的健康食品其实并非那么健康?为什么?
- 安卓开发之安卓AIDL的使用
- 堪称最好的A*算法
- Vaadin 的基本概况和基础开发
- Slope One协同推荐算法php代码