SpringBoot 处理xss攻击,对html进行转义
什么是 XSS ?
XSS攻击通常指的是通过利用网页开发时留下的漏洞,通过巧妙的方法注入恶意指令代码到网页,使用户加载并执行攻击者恶意制造的网页程序。这些恶意网页程序通常是JavaScript,但实际上也可以包括Java、 VBScript、ActiveX、 Flash 或者甚至是普通的HTML。攻击成功后,攻击者可能得到包括但不限于更高的权限(如执行一些操作)、私密网页内容、会话和cookie等各种内容。
处理方式
添加依赖
<dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-lang3</artifactId> <version>3.4</version> </dependency>
继承并重写HttpServletRequestWrapper里的方法
重写里面的:getParameter、getParameterValues
import org.apache.commons.lang3.StringEscapeUtils; import org.apache.commons.lang3.StringUtils; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import java.io.IOException; public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { private HttpServletRequest request; public XssHttpServletRequestWrapper(HttpServletRequest request) throws IOException { super(request); this.request = request; } @Override public String getParameter(String name) { String value = request.getParameter(name); System.out.println("name:" + name + "," + value); if (!StringUtils.isEmpty(value)) { // 转换Html value = StringEscapeUtils.escapeHtml4(value); } return value; } @Override public String[] getParameterValues(String name) { String[] parameterValues = super.getParameterValues(name); if (parameterValues == null) { return null; } for (int i = 0; i < parameterValues.length; i++) { String value = parameterValues[i]; // 转换Html parameterValues[i] = StringEscapeUtils.escapeHtml4(value); } return parameterValues; } }
过滤器
import org.springframework.stereotype.Component; import javax.servlet.*; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; @WebFilter(filterName="XssFilter",urlPatterns= {"/*"}) @Component public class XssFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws IOException, ServletException { //处理CORS问题 HttpServletResponse response = (HttpServletResponse) res; HttpServletRequest request = (HttpServletRequest) req; String url = request.getHeader("Origin"); response.setHeader("Access-Control-Allow-Origin", url); response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE"); response.setHeader("Access-Control-Allow-Credentials", "true"); response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Headers", "x-requested-with,Accept,Origin,Content-Type,LastModified,Cookie,UTOKEN"); String method = request.getMethod(); if("OPTIONS".equals(method)){ response.setStatus(200, "success"); response.flushBuffer(); return; } //获取请求的url路径 String path = ((HttpServletRequest) request).getServletPath(); //声明要被忽略请求的数组 String[] exclusionsUrls = {".js", ".gif", ".jpg", ".jpeg", ".png", ".css", ".ico", "health", "uploadPic", "file", "goods/create"}; //请求参数不进行xss处理 for (String str : exclusionsUrls) { if (path.contains(str)) { filterChain.doFilter(request, response); return; } } //对请求参数xss处理 XssHttpServletRequestWrapper XssHttpServletRequestWrapper = new XssHttpServletRequestWrapper(request); filterChain.doFilter(XssHttpServletRequestWrapper, response); } @Override public void destroy() { } }
对json数据处理
import com.fasterxml.jackson.core.JsonParser; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.DeserializationContext; import com.fasterxml.jackson.databind.JsonDeserializer; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.module.SimpleModule; import org.apache.commons.lang3.StringEscapeUtils; import org.springframework.beans.factory.InitializingBean; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; import java.io.IOException; @Configuration public class WebConfig implements WebMvcConfigurer, InitializingBean { @Autowired(required = false) private ObjectMapper objectMapper; private SimpleModule getSimpleModule() { SimpleModule simpleModule = new SimpleModule(); simpleModule.addDeserializer(String.class, new JsonHtmlXssDeserializer(String.class)); return simpleModule; } /** * 初始化bean的时候执行,可以针对某个具体的bean进行配置。afterPropertiesSet 必须实现 InitializingBean接口。实现 InitializingBean接口必须实现afterPropertiesSet方法 * 这个方法将在所有的属性被初始化后调用,但是会在init前调用 * @throws Exception */ @Override public void afterPropertiesSet() throws Exception { if (objectMapper != null) { SimpleModule simpleModule = getSimpleModule(); objectMapper.registerModule(simpleModule); } } } /** * 对入参的json进行转义 */ class JsonHtmlXssDeserializer extends JsonDeserializer<String> { public JsonHtmlXssDeserializer(Class<String> string) { super(); } @Override public Class<String> handledType() { return String.class; } @Override public String deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException, JsonProcessingException { String value = jsonParser.getValueAsString(); if (value != null) { return StringEscapeUtils.escapeHtml4(value.toString()); } return value; } }
跨站脚本
<script>alert("正在发动xss攻击")</script><a href="http://www.baidu.com">澳门皇家赌场上线了<a>
浙公网安备 33010602011771号