一次詭異的關於filter的問題
- 接收前臺post請求封裝的
"versionDescription":"eeeeee",時,莫名傳到後臺就變成"versionDeion":"eeeeee",了。 - 找了半天,一直之後是前臺的問題,一直在翻閱各類js代碼。 後來,請教大佬,大佬一聽到恰好少了
script後,靈光乍現,感受是攔截器的緣由,後來查閱,果不其然。
- XSS 全稱(Cross Site Scripting) 跨站腳本攻擊, 是Web程序中最多見的漏洞。指攻擊者在網頁中嵌入客戶端腳本(例如JavaScript), 當用戶瀏覽此網頁時,腳本就會在用戶的瀏覽器上執行,從而達到攻擊者的目的. 好比獲取用戶的Cookie,導航到惡意網站,攜帶木馬等
- 參考https://www.cnblogs.com/xuxiu...
- 參考 http://www.cnblogs.com/jiangs...
- 參考 https://blog.csdn.net/qq_3292...
- 參考 https://blog.csdn.net/u012114...
- 這是一個預防XSS注入的攔截器,
web.xml配置以下:
<filter>
<filter-name>xssFilter</filter-name>
<filter-class>com.cashew.utils.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>xssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- 攔截器:
package com.sgcc.utils;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.Map.Entry;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import net.sf.json.JSONObject;
import org.apache.log4j.Logger;
public class XssFilter implements Filter {
Logger log = Logger.getLogger(this.getClass());
private static Pattern SCRIPT_PATTERN = Pattern
.compile("<script.*>.*<\\/script\\s*>");
private static Pattern HTML_PATTERN = Pattern.compile("<[^>]+>");
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse, FilterChain chain)
throws IOException, ServletException {
// 得到在下面代碼中要用的request,response,session對象
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
// 設置cookie heetOnly
Cookie[] cookies = request.getCookies();
if (cookies != null && cookies.length > 0) {
Cookie cookie = cookies[0];
if (cookie != null) {
// Servlet 2.5不支持在Cookie上直接設置HttpOnly屬性
String value = cookie.getValue();
StringBuilder builder = new StringBuilder();
builder.append("JSESSIONID=" + value + "; ");
builder.append("Secure; ");
builder.append("HttpOnly; ");
Calendar cal = Calendar.getInstance();
cal.add(Calendar.MINUTE, 30);
Date date = cal.getTime();
Locale locale = Locale.CHINA;
SimpleDateFormat sdf = new SimpleDateFormat(
"dd-MM-yyyy HH:mm:ss", locale);
builder.append("Expires=" + sdf.format(date));
response.setHeader("Set-Cookie", builder.toString());
}
}
String method = request.getMethod();
if("POST".equalsIgnoreCase(method)){
if (getParameterMap(request)) {
log.info("-----檢測到危險字符,終止請求");
response.setCharacterEncoding("UTF-8");
response.getWriter().write(JSONObject.fromObject(getFailedMap("檢測到疑似注入操做,終止請求")).toString());
return;
}
}else{
boolean isScri = this.filterHtmlStr(request);
boolean isSql = this.filterSql(request);
if (!isScri || !isSql) {
log.info("檢測到危險字符,終止請求");
response.setCharacterEncoding("UTF-8");
response.getWriter().write(JSONObject.fromObject(getFailedMap("檢測到疑似注入操做,終止請求")).toString());
return;
}
}
//chain.doFilter(servletRequest, servletResponse);
chain.doFilter(new XSSRequestWrapper((HttpServletRequest) servletRequest), servletResponse);
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
/**
* 方法說明 :經過獲取map的方法
*/
@SuppressWarnings("rawtypes")
private boolean getParameterMap(HttpServletRequest request) {
Map map = request.getParameterMap();
boolean illegalStr = false;
if (map != null) {
Set set = map.entrySet();
Iterator iterator = set.iterator();
while (iterator.hasNext()) {
Map.Entry entry = (Entry) iterator.next();
if (entry.getValue() instanceof String[]) {
//System.out.println("==A==entry的key�? " + entry.getKey());
String[] values = (String[]) entry.getValue();
for (int i = 0; i < values.length; i++) {
if(!entry.getKey().toString().equals("buildJsonSettings")){
if(!filterSqlFromSream(values[i]) || !filterHtmlStr(values[i])){
System.out.println("1====非法字符 key=" +entry.getKey().toString() + ";value=" + values[i]);
illegalStr = true;
break;
}
}
}
} else if (entry.getValue() instanceof String) {
if(!filterSqlFromSream(entry.getValue().toString()) || !filterHtmlStr(entry.getValue().toString())){
System.out.println("2====非法字符 key=" +entry.getKey().toString() + ";value=" + entry.getValue().toString());
illegalStr = true;
break;
}
}
}
}
return illegalStr;
}
public boolean filterHtmlStr(String inputStr) {
Matcher mHtml = HTML_PATTERN.matcher(inputStr);
if (mHtml.find()) {
log.info("1------------------------Html str:" + inputStr);
return false;
}
Matcher m = SCRIPT_PATTERN.matcher(inputStr);
if (m.find()) {
log.info("1------------------------js str:" + inputStr);
return false;
}
return true;
}
public boolean filterHtmlStr(HttpServletRequest request) {
Map<String, String[]> paramMap = request.getParameterMap();
String lowStr = null;
Set<Entry<String, String[]>> keSet = paramMap.entrySet();
for (Iterator<Entry<String, String[]>> itr = keSet.iterator(); itr
.hasNext();) {
@SuppressWarnings("rawtypes")
Map.Entry me = (Map.Entry) itr.next();
Object ov = me.getValue();
String[] value = new String[1];
if (ov instanceof String[]) {
value = (String[]) ov;
} else {
value[0] = ov.toString();
}
for (int k = 0; k < value.length; k++) {
lowStr = value[k];
Matcher mHtml = HTML_PATTERN.matcher(lowStr);
if (mHtml.find()) {
log.info("2------------------------Html str:" + lowStr);
return false;
}
Matcher m = SCRIPT_PATTERN.matcher(lowStr);
if (m.find()) {
log.info("2------------------------js str:" + lowStr);
return false;
}
}
}
return true;
}
public boolean filterSql(HttpServletRequest request) {
Enumeration<String> params = request.getParameterNames();
String sql = "";
String name = "";
while (params.hasMoreElements()) {
name = params.nextElement().toString();
log.info(String.format("name is [%s]", name));
String[] value = request.getParameterValues(name);
for (int i = 0; i < value.length; i++) {
sql += value[i] + " ";
}
}
sql = sql.toLowerCase();
String badStr = "'|and|exec|execute|insert|select|delete|update|count|drop|*|chr|mid|truncate|"
+ "char|declare|sitename|net user|xp_cmdshell|or|like'|and|exec|execute|insert|create|drop|"
+ "table|from|grant|use|group_concat|column_name|"
+ "information_schema.columns|table_schema|union|where|order|by|count|*|"
+ "chr|mid|truncate|char|declare|or|like";
String[] badStrs = badStr.split("\\|");
String[] param = sql.split(" ");
for (int j = 0; j < param.length; j++)
for (int i = 0; i < badStrs.length; i++) {
if (param[j].equalsIgnoreCase(badStrs[i])) {
log.info(String.format("1------------查詢到SQL注入,輸入參數:[%s]", sql));
return false;
}
}
return true;
}
public boolean filterSqlFromSream(String inputJson) {
String sql = "";
try {
sql = URLDecoder.decode(inputJson,"UTF-8");
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
String badStr = "'|and|exec|execute|insert|select|delete|update|count|drop|*|chr|mid|truncate|"
+ "char|declare|sitename|net user|xp_cmdshell|or|like'|and|exec|execute|insert|create|drop|"
+ "table|from|grant|use|group_concat|column_name|"
+ "information_schema.columns|table_schema|union|where|order|by|count|*|"
+ "chr|mid|truncate|char|declare|or|like";
String[] badStrs = badStr.split("\\|");
String[] param = sql.split(" ");
for (int j = 0; j < param.length; j++)
for (int i = 0; i < badStrs.length; i++) {
if (param[j].equalsIgnoreCase(badStrs[i])) {
log.info(String.format("2------------查詢到SQL注入,輸入參數:[%s]", sql));
return false;
}
}
return true;
}
public String checkSpecialWord(String str) {
return Pattern
.compile(
"[`~!@#$%^&*()+=|{}':;',\\[\\].<>/?~!@#�?%…�??&*()—�??+|{}【�?��?�;:�?��?��?��?�,、?]")
.matcher(str).replaceAll("").trim();
}
private Map<String, String> getFailedMap(String message) {
Map<String, String> ret = new HashMap<String,String>();
ret.put("status", "failed");
ret.put("message", message);
return ret;
}
class XSSRequestWrapper extends HttpServletRequestWrapper {
public XSSRequestWrapper(HttpServletRequest request) {
super(request);
}
public String getParameter(String name) {
String value = super.getParameter(name);
if (value != null) {
value = cleanXSS(value);
}
return value;
}
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if (values != null) {
for (int i = 0; i < values.length; i++) {
values[i] = cleanXSS(values[i]);
}
}
return values;
}
private String cleanXSS(String value) {
value = value.replaceAll("<", "<").replaceAll(">", ">");
if(value.toLowerCase().contains("<script") || value.toLowerCase().contains("</script>") ){
value = value.substring(0,value.toLowerCase().indexOf("script"))+value.substring(value.toLowerCase().indexOf("script")+6);
}
return value;
}
}
}
相關文章
- 1. 記一次詭異的bug
- 2. 記一次詭異的debug
- 3. 關於overflow: hidden;的一個詭異問題
- 4. wcf的詭異問題
- 5. C++詭異的問題
- 6. 記錄一次詭異的Maven Profile不生效的問題
- 7. 一個詭異的"可見性"問題
- 8. 記一個詭異的UDP問題
- 9. 一個詭異的Java問題
- 10. 關於一道promise的詭異題目的理解
- 更多相關文章...
- • 一對一關聯查詢 - MyBatis教程
- • Redis悲觀鎖解決高併發搶紅包的問題 - 紅包項目實戰
- • ☆基於Java Instrument的Agent實現
- • 適用於PHP初學者的學習線路和建議
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 記一次詭異的bug
- 2. 記一次詭異的debug
- 3. 關於overflow: hidden;的一個詭異問題
- 4. wcf的詭異問題
- 5. C++詭異的問題
- 6. 記錄一次詭異的Maven Profile不生效的問題
- 7. 一個詭異的"可見性"問題
- 8. 記一個詭異的UDP問題
- 9. 一個詭異的Java問題
- 10. 關於一道promise的詭異題目的理解