WEB安全实战(五)XSS 攻击的另外一种解决方案(推荐)
序
旧方案
问题
新方案
<span style="font-family:Comic Sans MS;">public class NewXssHttpServletRequestWrapper extends HttpServletRequestWrapper { HttpServletRequest orgRequest = null; public NewXssHttpServletRequestWrapper(HttpServletRequest request) { super(request); orgRequest = request; } /** * 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/> * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/> * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖 */ @Override public String getParameter(String name) { System.out.println("NewXssFilter处理前的 Value = " + super.getParameterValues(name)); String value = super.getParameter(xssEncode(name)); if (value != null) { value = xssEncode(value); } System.out.println("NewXssFilter处理后的 Value = " + value); return value; } /** * 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/> * 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/> getHeaderNames 也可能需要覆盖 */ @Override public String getHeader(String name) { String value = super.getHeader(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 将容易引起xss漏洞的半角字符直接替换成全角字符 * * @param s * @return */ private static String xssEncode(String s) { if (s == null || s.isEmpty()) { return s; } StringReader reader = new StringReader( s ); StringWriter writer = new StringWriter(); try { HTMLParser.process( reader, writer, new XSSFilter(), true ); return writer.toString(); } catch (NullPointerException e) { return s; } catch(Exception ex) { ex.printStackTrace(); } return null; } /** * 获取最原始的request * * @return */ public HttpServletRequest getOrgRequest() { return orgRequest; } /** * 获取最原始的request的静态方法 * * @return */ public static HttpServletRequest getOrgRequest(HttpServletRequest req) { if (req instanceof NewXssHttpServletRequestWrapper) { return ((NewXssHttpServletRequestWrapper) req).getOrgRequest(); } return req; } }</span>
<span style="font-family:Comic Sans MS;">public class NewXssFilter implements Filter { FilterConfig filterConfig = null; @Override public void destroy() { this.filterConfig = null; } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { String path = ((HttpServletRequest) request).getContextPath(); String basePath = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + path + "/"; // HTTP 头设置 Referer过滤 String referer = ((HttpServletRequest) request).getHeader("Referer"); // REFRESH if (referer != null && referer.indexOf(basePath) < 0) { ((HttpServletRequest) request).getRequestDispatcher( ((HttpServletRequest) request).getRequestURI()).forward( ((HttpServletRequest) request), response); System.out.println("referer不为空,referer >>>>>>>>>>>>>> " + referer); } NewXssHttpServletRequestWrapper xssRequest = new NewXssHttpServletRequestWrapper((HttpServletRequest) request); chain.doFilter(xssRequest, response); } @Override public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; } }</span>
<span style="font-family:Comic Sans MS;"><filter> <filter-name>XssSqlFilter</filter-name> <filter-class>com.***.web.common.NewXssFilter</filter-class> </filter> <filter-mapping> <filter-name>XssSqlFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping></span>
结束语
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。