Java Web項目漏洞：檢測到目標URL存在http host頭攻擊漏洞解決辦法

若是此博文很幸運的幫助到了您，請問我點個贊吧(✪ω✪)謝謝

1.問題漏洞描述

2.JSP頭部中有以下代碼，這樣的使用方法就會被漏洞檢測工具查出來，認定有頭攻擊漏洞。

String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";

3. 請求攔截上面作host合法性校驗，攔截掉非法請求，首先寫一個java類： web系統攔截器doFilter方法 ，咱們在方法開始的地方作host斷定，若是不在白名單內，則返回403狀態碼。漏洞工具收到403後認爲訪問請求已被終止，就不會報錯了。

package com.css.apps.hostHear.action;

import java.io.File;
import java.io.IOException;
import java.io.InputStreamReader;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.css.apps.hostHear.util.ServerWhiteListUtil;
public class HostCleanFilter implements Filter{
	@Override
	public void doFilter(ServletRequest req, ServletResponse res,
		FilterChain chain) throws IOException, ServletException {
		// TODO Auto-generated method stub
		HttpServletRequest request = (HttpServletRequest) req;
		HttpServletResponse response = (HttpServletResponse) res;

		// 頭攻擊檢測
		String requestHost = request.getHeader("host");
		if (requestHost != null
				&& !ServerWhiteListUtil.isWhite(requestHost)) {
			response.setStatus(403);
			response.sendError(403, "訪問地址不在白名單中，沒法訪問！");
			return;
		}
		chain.doFilter(req, res);
	}

	@Override
	public void init(FilterConfig arg0) throws ServletException {
		// TODO Auto-generated method stub
		
	}

	@Override
	public void destroy() {
		// TODO Auto-generated method stub
		
	}

}

4.util類

package com.css.apps.hostHear.util;

import java.io.InputStreamReader;
import java.util.List;

import com.google.gson.Gson;
import com.google.gson.reflect.TypeToken;

public class ServerWhiteListUtil{
	private static List<String> whiteList = null;
	static { 
		try { 
			// 讀取白名單列表
			whiteList = new Gson().fromJson( 
					new InputStreamReader(
							ServerWhiteListUtil.class.getResourceAsStream("/serverWhiteList.json")
					),new TypeToken<List<String>>() {
			}.getType()); 
			} catch (Exception e) { 
				e.printStackTrace(); 
				} 
		} 
	/** * 判斷當前host是否在白名單內 *
	 *  @param host 待查host * 
	 *  @return boolean 是否在白名單內 */
	public static boolean isWhite(String host) { 
		if (whiteList == null || whiteList.size() == 0) {
			return true; 
		} 
		for (String str : whiteList) { 
			if (str != null && str.equals(host)) { 
				return true; 
			} 
		} 
		return false; 
	}
}

5.在web.xml中寫入過濾器

<filter>
  <filter-name>HostCleanFilter</filter-name>
  <filter-class>com.css.apps.hostHear.action.HostCleanFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>HostCleanFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

6.json文件，放在哪一個目錄下看本身的項目結構

[
  "localhost:8443"
]

部分參考，感謝！：http://www.javashuo.com/article/p-yxomyvjs-p.html

若是此博文很幸運的幫助到了您，請問我點個贊吧(✪ω✪)謝謝