前段时间,博主在帮忙朋友给一个国营单位做的一个项目中,在上线的前期,客户要求检测漏洞,因此找到了专业的测评公司,测出来好多漏洞,其中就有xss攻击,我讲自己处理的方式分享给大家,便于大家少走弯路。
-
package com.yl.filter;
-
-
import java.io.BufferedReader;
-
import java.io.ByteArrayInputStream;
-
import java.io.IOException;
-
import java.io.InputStreamReader;
-
import java.nio.charset.Charset;
-
-
import javax.servlet.ServletInputStream;
-
import javax.servlet.http.HttpServletRequest;
-
import javax.servlet.http.HttpServletRequestWrapper;
-
-
import org.springframework.beans.factory.parsing.ReaderEventListener;
-
-
-
public
class XssHttpServletRequestWrapper
extends HttpServletRequestWrapper {
-
boolean isUpData =
false;
//判断是否是上传 上传忽略
-
public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {
-
super(servletRequest);
-
String contentType = servletRequest.getContentType ();
-
if (
null != contentType)
-
isUpData =contentType.startsWith (
"multipart");
-
}
-
-
@Override
-
public
String[] getParameterValues(
String parameter) {
-
String[] values =
super.getParameterValues(parameter);
-
if (values==
null) {
-
return
null;
-
}
-
int count = values.length;
-
String[] encodedValues =
new
String[count];
-
for (int i =
0; i < count; i++) {
-
encodedValues[i] = cleanXSS(values[i]);
-
}
-
return encodedValues;
-
}
-
-
@Override
-
public
String getParameter(
String parameter) {
-
String value =
super.getParameter(parameter);
-
if (value ==
null) {
-
return
null;
-
}
-
return cleanXSS(value);
-
}
-
-
/**
-
* 获取request的属性时,做xss过滤
-
*/
-
@Override
-
public
Object getAttribute(
String name) {
-
Object value =
super.getAttribute(name);
-
if (
null != value && value
instanceof
String) {
-
value = cleanXSS((
String) value);
-
}
-
return value;
-
}
-
-
@Override
-
public
String getHeader(
String name) {
-
-
String value =
super.getHeader(name);
-
if (value ==
null)
-
return
null;
-
return cleanXSS(value);
-
}
-
private
static
String cleanXSS(
String value) {
-
value = value.replaceAll(
"<",
"<").replaceAll(
">",
">");
-
value = value.replaceAll(
"%3C",
"<").replaceAll(
"%3E",
">");
-
value = value.replaceAll(
"\\(",
"(").replaceAll(
"\\)",
")");
-
value = value.replaceAll(
"%28",
"(").replaceAll(
"%29",
")");
-
value = value.replaceAll(
"'",
"'");
-
value = value.replaceAll(
"eval\\((.*)\\)",
"");
-
value = value.replaceAll(
"[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']",
"\"\"");
-
value = value.replaceAll(
"script",
"");
-
return value;
-
}
-
-
-
@Override
-
public ServletInputStream getInputStream () throws IOException {
-
if (isUpData){
-
return
super.getInputStream ();
-
}
else{
-
-
final ByteArrayInputStream bais =
new ByteArrayInputStream(inputHandlers(
super.getInputStream ()).getBytes ());
-
-
return
new ServletInputStream() {
-
-
@Override
-
public int read() throws IOException {
-
return bais.read();
-
}
-
-
public
boolean isFinished() {
-
return
false;
-
}
-
-
public
boolean isReady() {
-
return
false;
-
}
-
-
public
void setReadListener(ReaderEventListener readListener) { }
-
};
-
}
-
-
}
-
public
String inputHandlers(ServletInputStream servletInputStream){
-
StringBuilder sb =
new StringBuilder();
-
BufferedReader reader =
null;
-
try {
-
reader =
new BufferedReader(
new InputStreamReader (servletInputStream, Charset.forName(
"UTF-8")));
-
String line =
"";
-
while ((line = reader.readLine()) !=
null) {
-
sb.append(line);
-
}
-
}
catch (IOException e) {
-
e.printStackTrace();
-
}
finally {
-
if (servletInputStream !=
null) {
-
try {
-
servletInputStream.close();
-
}
catch (IOException e) {
-
e.printStackTrace();
-
}
-
}
-
if (reader !=
null) {
-
try {
-
reader.close();
-
}
catch (IOException e) {
-
e.printStackTrace();
-
}
-
}
-
}
-
return cleanXSS(sb.toString ());
-
}
-
}
注意: 标注有上传的地方一定要注意,不能省略掉,否则上传就会有问题,我们当初处理xss攻击时候,忘记管上传了,结果后期在上线阶段上传文件不起作用。
总结:
主要是使用Java Web的过滤器,将所有的request请求参数修改(主要是把存在xss风险的标签转义,如:<script></script>),在转义时我没有自己实现替换与转义,是直接使用的spring自带的HtmlUtils类的htmlEscape方法转义的,方便很多
本人录制了一下智慧消防物联网方面的课程,希望对大家有帮助,需要的可以点击。
立即点击学习 :智慧消防解决方案
转载:https://blog.csdn.net/u010460625/article/details/109007910
查看评论