Java实现XSS防御
XSS概述
跨站脚本攻击(Cross Site Scripting),缩写为XSS。恶意攻击者往Web页面里插入恶意Script代码,当用户浏览该页之时,嵌入其中Web里面的Script代码会被执行,从而达到恶意攻击用户的目的。
Servlet的方式
1、继承HttpServletRequestWrapper,实现对请求参数的过滤
/** * xss请求适配器 */ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); } /** * 对数组参数进行特殊字符过滤 */ @Override public String[] getParameterValues(String name) { String[] values = super.getParameterValues(name); if (values == null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = cleanXSS(values[i]); } return encodedValues; } /** * 对参数中特殊字符进行过滤 */ @Override public String getParameter(String name) { String value = super.getParameter(name); if (value == null) { return null; } return cleanXSS(value); } /** * 获取attribute,特殊字符过滤 */ @Override public Object getAttribute(String name) { Object value = super.getAttribute(name); if (value != null && value instanceof String) { cleanXSS((String) value); } return value; } /** * 对请求头部进行特殊字符过滤 */ @Override public String getHeader(String name) { String value = super.getHeader(name); if (value == null) { return null; } return cleanXSS(value); } /** * 转义字符,使用该方法存在一定的弊端 * * @param value * @return */ private String cleanXSS2(String value) { // 移除特殊标签 value = value.replaceAll("<", "<").replaceAll(">", ">"); value = value.replaceAll("\\(", "(").replaceAll("\\)", ")"); value = value.replaceAll("'", "'"); value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); value = value.replaceAll("script", ""); return value; } private String cleanXSS(String value) { if (value != null) { //推荐使用ESAPI库来避免脚本攻击,value = ESAPI.encoder().canonicalize(value); // 避免空字符串 value = value.replaceAll(" ", ""); // 避免script 标签 Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // 避免src形式的表达式 scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // 删除单个的 </script> 标签 scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // 删除单个的<script ...> 标签 scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // 避免 eval(...) 形式表达式 scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // 避免 expression(...) 表达式 scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // 避免 javascript: 表达式 scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // 避免 vbscript:表达式 scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // 避免 onload= 表达式 scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); } return value; } }
2、实现Filter,实现XSS过滤器
/** * xss过滤器 */ public class XssFilter implements Filter { FilterConfig filterConfig = null; @Override public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { //对请求进行拦截,防xss处理 chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response); } @Override public void destroy() { this.filterConfig = null; } }
3、注入XSS过滤器,两种方式
第一种方式:配置web.xml
<!-- xss过滤器 -->
<filter>
<filter-name>XssSqlFilter</filter-name>
<filter-class>cn.aric.xss.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssSqlFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
第二种方式:注解
/** * 注入Xss过滤器(注解方式) */ public class WebInitializer implements WebApplicationInitializer{ @Override public void onStartup(ServletContext servletContext) throws ServletException { //添加监听器 servletContext.addListener(RequestContextListener.class); //添加过滤器 Dynamic xssFilterRegistration = servletContext.addFilter("XssFilter", XssFilter.class); //添加映射规则 xssFilterRegistration.addMappingForUrlPatterns( EnumSet.of(DispatcherType.REQUEST,DispatcherType.FORWARD,DispatcherType.INCLUDE), false, "/*"); } }
Spring整合的方式
1、使用spring的HtmlUtils,可以使用StringEscapeUtils 中的过滤方法
/** * 解决XSS跨站脚本攻击和sql注入攻击,使用spring的HtmlUtils,可以使用StringEscapeUtils 中的过滤方法 */ public class XssSpringHttpServletRequestWrapper extends HttpServletRequestWrapper{ public XssSpringHttpServletRequestWrapper(HttpServletRequest request) { super(request); } /** * 对数组参数进行特殊字符过滤 */ @Override public String[] getParameterValues(String name) { String[] values = super.getParameterValues(name); String[] newValues = new String[values.length]; for (int i = 0; i < values.length; i++) { //spring的HtmlUtils进行转义 newValues[i] = HtmlUtils.htmlEscape(values[i]); } return newValues; } /** * 拦截参数,并对其进行字符转义 */ @Override public String getParameter(String name) { return HtmlUtils.htmlEscape(name); } /** * 拦截参数,并对其进行字符转义 */ @Override public Object getAttribute(String name) { return HtmlUtils.htmlEscape(name); } }
2、实现XSS过滤器
/** * spring方式xss过滤器 */ public class XssSpringFilter implements Filter{ @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; chain.doFilter(new XssSpringHttpServletRequestWrapper(req), response); } @Override public void destroy() { } }
3、配置XSS过滤器
<!-- spring方式的xss过滤器 --> <filter> <filter-name>xssSpringFilter</filter-name> <filter-class>cn.aric.xss.XssSpringHttpServletRequestWrapper</filter-class> </filter> <filter-mapping> <filter-name>xssSpringFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
