防XSS攻擊解決方法
1.web.xml文件中新增filter配置javascript
<!-- URL請求參數字符過濾或合法性校驗 -->
<filter>
<filter-name>XssFilter</filter-name>
<filter-class>com.isoftstone.ifa.web.base.filter.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping>
2.建立XssFilter實例java
package com.isoftstone.ifa.web.base.filter; import java.io.IOException; import java.text.SimpleDateFormat; import java.util.Calendar; import java.util.Date; import java.util.Locale; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class XssFilter implements Filter { FilterConfig filterConfig = null; @Override public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; } @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; chain.doFilter(new XssHttpServletRequestWrapper(request), response); } @Override public void destroy() { this.filterConfig = null; } }
3.重寫HttpServletRequestWrapper方法web
package com.isoftstone.ifa.web.base.filter; import java.util.Enumeration; import java.util.regex.Pattern; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import org.slf4j.Logger; import org.slf4j.LoggerFactory; public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { private static final Logger logger = LoggerFactory.getLogger(XssHttpServletRequestWrapper.class); public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); } /** * 對數組參數進行特殊字符過濾 */ @Override public String[] getParameterValues(String name) { String[] values = super.getParameterValues(name); if (values == null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = cleanXSS(values[i]); } return encodedValues; } /** * 對參數中特殊字符進行過濾 */ @Override public String getParameter(String name) { String value = super.getParameter(name); if (value == null) { return null; } return cleanXSS(value); } /** * 對參數中特殊字符進行過濾(POST) */ /*@SuppressWarnings("rawtypes") public Enumeration getParameterNames(){ Enumeration params = super.getParameterNames(); String paramValue = ""; while (params.hasMoreElements()) { String param = (String) params.nextElement(); String[] values = super.getParameterValues(param); for (int i = 0; i < values.length; i++) { paramValue = values[i]; paramValue = cleanXSS(paramValue); values[i] = paramValue; } super.setAttribute(param, paramValue); } return params; }*/ /** * 對請求頭部進行特殊字符過濾 @Override public String getHeader(String name) { String value = super.getHeader(name); if (value == null) { return null; } return cleanXSS(value); } */ private String cleanXSS(String value) { logger.debug("過濾前傳遞參數:{}" , value); if (value != null) { /** //推薦使用ESAPI庫來避免腳本攻擊,value = ESAPI.encoder().canonicalize(value); // 避免空字符串 value = value.replaceAll(" ", ""); **/ // 避免script 標籤 Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // 避免src形式的表達式 scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // 刪除單個的 </script> 標籤 scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // 刪除單個的<script ...> 標籤 scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // 避免 eval(...) 形式表達式 scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // 避免 expression(...) 表達式 scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // 避免 javascript: 表達式 scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // 避免 vbscript:表達式 scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // 避免 onload= 表達式 scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); //移除特殊標籤 value = value.replaceAll("<", "<").replaceAll(">", ">"); } logger.debug("過濾後傳遞參數:{}" , value); return value; } }
相關文章
- 1. XSS攻擊的解決方法
- 2. xss攻擊原理與解決方法
- 3. 解決XSS攻擊
- 4. xss攻擊防範
- 5. 防範XSS攻擊
- 6. SpringBoot防XSS攻擊
- 7. PHP 防xss攻擊
- 8. XSS攻擊和CSRF攻擊與防範
- 9. AntiSamy解決XSS攻擊
- 10. XSS攻擊及解決方案
- 更多相關文章...
- • SVN 解決衝突 - SVN 教程
- • ASP Contents.Remove 方法 - ASP 教程
- • SpringBoot中properties文件不能自動提示解決方法
- • PHP Ajax 跨域問題最佳解決方案
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. XSS攻擊的解決方法
- 2. xss攻擊原理與解決方法
- 3. 解決XSS攻擊
- 4. xss攻擊防範
- 5. 防範XSS攻擊
- 6. SpringBoot防XSS攻擊
- 7. PHP 防xss攻擊
- 8. XSS攻擊和CSRF攻擊與防範
- 9. AntiSamy解決XSS攻擊
- 10. XSS攻擊及解決方案