Springboot Xss注入過濾
1.編寫 XssHttpServletRequestWrapper
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) { super(servletRequest); } public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); if (values==null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = cleanXSS(values[i]); } return encodedValues; } /* 覆蓋getParameter方法,將參數名和參數值都作xss過濾。 * 若是須要得到原始的值,則經過super.getParameterValues(name)來獲取 * getParameterNames,getParameterValues和getParameterMap也可能須要覆蓋 */ public String getParameter(String parameter) { String value = super.getParameter(parameter); if (value == null) { return null; } return cleanXSS(value); } /** * 覆蓋getHeader方法,將參數名和參數值都作xss過濾。 * 若是須要得到原始的值,則經過super.getHeaders(name)來獲取 * getHeaderNames 也可能須要覆蓋 */ public String getHeader(String name) { String value = super.getHeader(name); if (value == null) return null; return cleanXSS(value); } private String cleanXSS(String value) { //You'll need to remove the spaces from the html entities below value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;"); value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;"); value = value.replaceAll("'", "& #39;"); value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); value = value.replaceAll("script", ""); value = value.replaceAll("[*]","["+"*]"); value = value.replaceAll("[+]","["+"+]"); value = value.replaceAll("[?]","["+"?]"); // replace sql 這裏能夠自由發揮 String[] values = value.split(" "); String badStr = "'|and|exec|execute|insert|select|delete|update|count|drop|%|chr|mid|master|truncate|" + "char|declare|sitename|net user|xp_cmdshell|;|or|-|+|,|like'|and|exec|execute|insert|create|drop|" + "table|from|grant|use|group_concat|column_name|" + "information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|" + "chr|mid|master|truncate|char|declare|or|;|-|--|,|like|//|/|%|#"; String[] badStrs = badStr.split("\\|"); for (int i = 0;i<badStrs.length;i++){ for (int j = 0;j<values.length;j++){ if (values[j].equalsIgnoreCase(badStrs[i])){ values[j] = "forbid"; } } } StringBuilder sb = new StringBuilder(); for (int i = 0;i<values.length;i++){ if (i == values.length-1){ sb.append(values[i]); } else { sb.append(values[i]+" "); } } value = sb.toString(); return value; } }
2. XssFilter import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.servlet.*; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import java.io.IOException; @WebFilter(urlPatterns = "/*") public class XssFilter implements Filter { private static final Logger logger = LoggerFactory.getLogger(XssFilter.class); FilterConfig filterConfig = null; @Override public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; } @Override public void destroy() { this.filterConfig = null; } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { logger.info("自定義過濾器->doFilter"); chain.doFilter(new XssHttpServletRequestWrapper( (HttpServletRequest) request), response); } }
3.在spring的啓動類加註解 @SpringBootApplication @ServletComponentScan public class SpringbootApplication { public static void main(String[] args) { SpringApplication.run(SpringbootApplication.class, args); } }
相關文章
- 1. SpringBoot過濾器過濾get及post請求中的XSS和SQL注入
- 2. XSS過濾JAVA過濾器filter 防止常見SQL注入
- 3. xss過濾
- 4. XSS過濾
- 5. Day25 XSS過濾
- 6. SpringBoot過濾XSS腳本攻擊
- 7. XSS注入-簡單過濾繞過方法
- 8. springboot中使用過濾器,jsoup過濾XSS腳本
- 9. KindEditor 和 xss過濾
- 10. xss 如何在springboot項目中進行XSS過濾
- 更多相關文章...
- • SQLite 注入 - SQLite教程
- • Spring DI(依賴注入)的實現方式:屬性注入和構造注入 - Spring教程
- • YAML 入門教程
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
