SpringBoot過濾器過濾get及post請求中的XSS和SQL注入
1.建立XssAndSqlHttpServletRequestWrapper包裝器,這是實現XSS過濾的關鍵,在其內重寫了getParameter,getParameterValues,getHeader等方法,對http請求內的參數進行了過濾。
package com.wb.common; import java.io.BufferedReader; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStreamReader; import java.util.Enumeration; import java.util.HashMap; import java.util.Map; import java.util.Set; import java.util.Vector; import java.util.regex.Pattern; import javax.servlet.ReadListener; import javax.servlet.ServletInputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import org.springframework.util.StreamUtils; import com.sgcc.uap.utils.stream.StreamUtil; public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper { HttpServletRequest orgRequest = null; private Map<String, String[]> parameterMap; private final byte[] body; //用於保存讀取body中數據 public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) throws IOException{ super(request); orgRequest = request; parameterMap = request.getParameterMap(); body = StreamUtils.copyToByteArray(request.getInputStream()); } // 重寫幾個HttpServletRequestWrapper中的方法 /** * 獲取全部參數名 * * @return 返回全部參數名 */ @Override public Enumeration<String> getParameterNames() { Vector<String> vector = new Vector<String>(parameterMap.keySet()); return vector.elements(); } /** * 覆蓋getParameter方法,將參數名和參數值都作xss & sql過濾。<br/> * 若是須要得到原始的值,則經過super.getParameterValues(name)來獲取<br/> * getParameterNames,getParameterValues和getParameterMap也可能須要覆蓋 */ @Override public String getParameter(String name) { String[] results = parameterMap.get(name); if (results == null || results.length <= 0) return null; else { String value = results[0]; if (value != null) { value = xssEncode(value); } return value; } } /** * 獲取指定參數名的全部值的數組,如:checkbox的全部數據 接收數組變量 ,如checkobx類型 */ @Override public String[] getParameterValues(String name) { String[] results = parameterMap.get(name); if (results == null || results.length <= 0) return null; else { int length = results.length; for (int i = 0; i < length; i++) { results[i] = xssEncode(results[i]); } return results; } } /** * 覆蓋getHeader方法,將參數名和參數值都作xss & sql過濾。<br/> * 若是須要得到原始的值,則經過super.getHeaders(name)來獲取<br/> * getHeaderNames 也可能須要覆蓋 */ @Override public String getHeader(String name) { String value = super.getHeader(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 將容易引發xss & sql漏洞的半角字符直接替換成全角字符 * * @param s * @return */ private static String xssEncode(String s) { if (s == null || s.isEmpty()) { return s; } else { s = stripXSSAndSql(s); } StringBuilder sb = new StringBuilder(s.length() + 16); for (int i = 0; i < s.length(); i++) { char c = s.charAt(i); switch (c) { case '>': sb.append(">");// 轉義大於號 break; case '<': sb.append("<");// 轉義小於號 break; // case '\'': // sb.append("'");// 轉義單引號 // break; // case '\"': // sb.append(""");// 轉義雙引號 // break; case '&': sb.append("&");// 轉義& break; case '#': sb.append("#");// 轉義# break; default: sb.append(c); break; } } return sb.toString(); } /** * 獲取最原始的request * * @return */ public HttpServletRequest getOrgRequest() { return orgRequest; } /** * 獲取最原始的request的靜態方法 * * @return */ public static HttpServletRequest getOrgRequest(HttpServletRequest req) { if (req instanceof XssAndSqlHttpServletRequestWrapper) { return ((XssAndSqlHttpServletRequestWrapper) req).getOrgRequest(); } return req; } /** * * 防止xss跨腳本攻擊(替換,根據實際狀況調整) */ public static String stripXSSAndSql(String value) { if (value != null) { // NOTE: It's highly recommended to use the ESAPI library and // uncomment the following line to // avoid encoded attacks. // value = ESAPI.encoder().canonicalize(value); // Avoid null characters /** value = value.replaceAll("", ""); ***/ // Avoid anything between script tags Pattern scriptPattern = Pattern.compile( "<[\r\n| | ]*script[\r\n| | ]*>(.*?)</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid anything in a // src="http://www.yihaomen.com/article/java/..." type of // e-xpression scriptPattern = Pattern.compile("src[\r\n| | ]*=[\r\n| | ]*[\\\"|\\\'](.*?)[\\\"|\\\']", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Remove any lonesome </script> tag scriptPattern = Pattern.compile("</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Remove any lonesome <script ...> tag scriptPattern = Pattern.compile("<[\r\n| | ]*script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid eval(...) expressions scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid e-xpression(...) expressions scriptPattern = Pattern.compile("e-xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid javascript:... expressions scriptPattern = Pattern.compile("javascript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid vbscript:... expressions scriptPattern = Pattern.compile("vbscript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid onload= expressions scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); } return value; } public static boolean checkXSSAndSql(String value) { boolean flag = false; if (value != null) { // NOTE: It's highly recommended to use the ESAPI library and // uncomment the following line to // avoid encoded attacks. // value = ESAPI.encoder().canonicalize(value); // Avoid null characters /** value = value.replaceAll("", ""); ***/ // Avoid anything between script tags Pattern scriptPattern = Pattern.compile( "<[\r\n| | ]*script[\r\n| | ]*>(.*?)</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid anything in a // src="http://www.yihaomen.com/article/java/..." type of // e-xpression scriptPattern = Pattern.compile("src[\r\n| | ]*=[\r\n| | ]*[\\\"|\\\'](.*?)[\\\"|\\\']", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Remove any lonesome </script> tag scriptPattern = Pattern.compile("</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Remove any lonesome <script ...> tag scriptPattern = Pattern.compile("<[\r\n| | ]*script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid eval(...) expressions scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid e-xpression(...) expressions scriptPattern = Pattern.compile("e-xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid javascript:... expressions scriptPattern = Pattern.compile("javascript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid vbscript:... expressions scriptPattern = Pattern.compile("vbscript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid onload= expressions scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } } return flag; } public final boolean checkParameter() { Map<String, String[]> submitParams = new HashMap(parameterMap); Set<String> submitNames = submitParams.keySet(); for (String submitName : submitNames) { Object submitValues = submitParams.get(submitName); if ((submitValues instanceof String)) { if (checkXSSAndSql((String) submitValues)) { return true; } } else if ((submitValues instanceof String[])) { for (String submitValue : (String[])submitValues){ if (checkXSSAndSql(submitValue)) { return true; } } } } return false; } @Override public BufferedReader getReader() throws IOException { return new BufferedReader(new InputStreamReader(getInputStream())); } @Override public ServletInputStream getInputStream() throws IOException { final ByteArrayInputStream bais = new ByteArrayInputStream(body); return new ServletInputStream() { @Override public int read() throws IOException { return bais.read(); } @Override public boolean isFinished() { // TODO Auto-generated method stub return false; } @Override public boolean isReady() { // TODO Auto-generated method stub return false; } @Override public void setReadListener(ReadListener arg0) { // TODO Auto-generated method stub } }; } }
2.過濾器javascript
package com.wb.common; import java.io.BufferedReader; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import org.apache.commons.lang3.StringUtils; public class XssAndSqlFilter implements Filter { @Override public void destroy() { // TODO Auto-generated method stub } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { String method = "GET"; String param = ""; XssAndSqlHttpServletRequestWrapper xssRequest = null; if (request instanceof HttpServletRequest) { method = ((HttpServletRequest) request).getMethod(); xssRequest = new XssAndSqlHttpServletRequestWrapper((HttpServletRequest) request); } if ("POST".equalsIgnoreCase(method)) { param = this.getBodyString(xssRequest.getReader()); if(StringUtils.isNotBlank(param)){ if(xssRequest.checkXSSAndSql(param)){ response.setCharacterEncoding("UTF-8"); response.setContentType("application/json;charset=UTF-8"); PrintWriter out = response.getWriter(); out.write(JSONResponseUtil.getWrappedERRString("您所訪問的頁面請求中有違反安全規則元素存在,拒絕訪問!")); return; } } } if (xssRequest.checkParameter()) { response.setCharacterEncoding("UTF-8"); response.setContentType("application/json;charset=UTF-8"); PrintWriter out = response.getWriter(); out.write(JSONResponseUtil.getWrappedERRString("您所訪問的頁面請求中有違反安全規則元素存在,拒絕訪問!")); return; } chain.doFilter(xssRequest, response); } @Override public void init(FilterConfig arg0) throws ServletException { // TODO Auto-generated method stub } // 獲取request請求body中參數 public static String getBodyString(BufferedReader br) { String inputLine; String str = ""; try { while ((inputLine = br.readLine()) != null) { str += inputLine; } br.close(); } catch (IOException e) { System.out.println("IOException: " + e); } return str; } }
3.註冊過濾器XssAndSqlFilter。css
** * Filter配置 * @author 山河永慕 */ @Configuration public class FilterConfig { @Bean public FilterRegistrationBean xssFilterRegistration() { FilterRegistrationBean registration = new FilterRegistrationBean(); registration.setDispatcherTypes(DispatcherType.REQUEST); registration.setFilter(new XssAndSqlFilter()); registration.addUrlPatterns("/*"); registration.setName("xssAndSqlFilter"); registration.setOrder(Integer.MAX_VALUE); Map<String, String> initParameters = Maps.newHashMap(); //-excludes用於配置不須要參數過濾的請求url; initParameters.put("excludes", "/favicon.ico,/img/*,/js/*,/css/*"); //-isIncludeRichText默認爲true,主要用於設置富文本內容是否須要過濾。 initParameters.put("isIncludeRichText", "false"); return registration; }
附上參考連接html
https://www.jianshu.com/p/bec4936d6672(比較完整版)java
http://www.javashuo.com/article/p-bbervovr-h.html(模擬xss和分析版)spring
http://www.javashuo.com/article/p-dokfqgfy-hh.html(sql和cros最有效防止的)sql
相關文章
- 1. Springboot Xss注入過濾
- 2. XSS過濾JAVA過濾器filter 防止常見SQL注入
- 3. 從POST和GET和request過濾掉SQL注入
- 4. 過濾器(7)_過濾器處理 POST 請求亂碼
- 5. 過濾器(8)_過濾器處理 GET 請求亂碼
- 6. SQL注入 -過濾繞過
- 7. springboot中使用過濾器,jsoup過濾XSS腳本
- 8. springsecurity 中 核心過濾器和請求
- 9. KindEditor 和 xss過濾
- 10. java--仿sql注入--sql過濾器
- 更多相關文章...
- • PHP 過濾器 - PHP教程
- • PHP FILTER_CALLBACK 過濾器 - PHP參考手冊
- • Docker容器實戰(七) - 容器眼光下的文件系統
- • Docker容器實戰(六) - 容器的隔離與限制
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
