背景:等保测评公司针对我系统进行了一次渗透测试,并发现存在XSS漏洞,现记录修复过程。
框架:SSM。
全站XSS:
漏洞风险等级:中危
涉及页面:全站存在内容输入处
漏洞描述:所有模块可以修改内容处存在XSS,填入恶意代码后触发。
修复建议:过滤所有输入内容。(防止恶意弹窗/跨站脚本/过滤敏感字符/违法信息等)
解决方案
列举方案1:写个DispatcherServlet
import javax.servlet.http.HttpServletRequest;
import org.springframework.stereotype.Controller;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.DispatcherServlet;
import org.springframework.web.servlet.HandlerExecutionChain;
@SuppressWarnings("serial")
public class DispatcherServletWrapper extends DispatcherServlet {
@Override
protected HandlerExecutionChain getHandler(HttpServletRequest request) throws Exception {
HandlerExecutionChain chain = super.getHandler(request);
Object handler = chain.getHandler();
if (!(handler instanceof HandlerMethod)) {
return chain;
}
HandlerMethod hm = (HandlerMethod)handler;
if (!hm.getBeanType().isAnnotationPresent(Controller.class)) {
return chain;
}
//仅处理@Controller注解的Bean
return new HandlerExecutionChainWrapper(chain,request,getWebApplicationContext());
}
}
在getHandler中返回HandlerExecutionChainWrapper
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.cglib.proxy.Enhancer;
import org.springframework.cglib.proxy.MethodInterceptor;
import org.springframework.cglib.proxy.MethodProxy;
import org.springframework.util.ReflectionUtils;
import org.springframework.util.ReflectionUtils.FieldCallback;
import org.springframework.util.ReflectionUtils.FieldFilter;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerExecutionChain;
import org.springframework.web.util.HtmlUtils;
public class HandlerExecutionChainWrapper extends HandlerExecutionChain {
private BeanFactory beanFactory;
private HttpServletRequest request;
private HandlerMethod handlerWrapper;
private byte[] lock = new byte[0];
public HandlerExecutionChainWrapper(HandlerExecutionChain chain,
HttpServletRequest request,
BeanFactory beanFactory) {
super(chain.getHandler(),chain.getInterceptors());
this.request = request;
this.beanFactory = beanFactory;
}
@Override
public Object getHandler() {
if (handlerWrapper != null) {
return handlerWrapper;
}
synchronized (lock) {
if (handlerWrapper != null) {
return handlerWrapper;
}
HandlerMethod superMethodHandler = (HandlerMethod)super.getHandler();
Object proxyBean = createProxyBean(superMethodHandler);
handlerWrapper = new HandlerMethod(proxyBean,superMethodHandler.getMethod());
return handlerWrapper;
}
}
/**
* 为Controller Bean创建一个代理实例,以便用于 实现调用真实Controller Bean前的切面拦截
* 用以过滤方法参数中可能的XSS注入
* @param handler
* @return
*/
private Object createProxyBean(HandlerMethod handler) {
try {
Enhancer enhancer = new Enhancer();
enhancer.setSuperclass(handler.getBeanType());
Object bean = handler.getBean();
if (bean instanceof String) {
bean = beanFactory.getBean((String)bean);
}
ControllerXssInterceptor xss = new ControllerXssInterceptor(bean);
xss.setRequest(this.request);
enhancer.setCallback(xss);
return enhancer.create();
}catch(Exception e) {
throw new IllegalStateException("为Controller创建代理失败:"+e.getMessage(), e);
}
}
public static class ControllerXssInterceptor implements MethodInterceptor {
private Object target;
private HttpServletRequest request;
private List<String> objectMatchPackages;
public ControllerXssInterceptor(Object target) {
this.target = target;
this.objectMatchPackages = new ArrayList<String>();
this.objectMatchPackages.add("com.jwell");
}
public void setRequest(HttpServletRequest request) {
this.request = request;
}
@Override
public Object intercept(Object obj, Method method, Object[] args,
MethodProxy proxy)
throws Throwable {
//对Controller的方法参数进行调用前处理
//过滤String类型参数中可能存在的XSS注入
if (args != null) {
for (int i=0;i<args.length;i++) {
if (args[i]==null)
continue;
if (args[i] instanceof String) {
args[i] = stringXssReplace((String)args[i]);
continue;
}
for(String pk:objectMatchPackages) {
if (args[i].getClass().getName().startsWith(pk)) {
objectXssReplace(args[i]);
break;
}
}
}
}
return method.invoke(target, args);
}
private String stringXssReplace(String argument) {
return HtmlUtils.htmlEscape(argument);
}
private void objectXssReplace(final Object argument) {
if (argument == null)
return;
ReflectionUtils.doWithFields(argument.getClass(), new FieldCallback(){
@Override
public void doWith(Field field) throws IllegalArgumentException, IllegalAccessException {
ReflectionUtils.makeAccessible(field);
String fv = (String)field.get(argument);
if (fv != null) {
String nv = HtmlUtils.htmlEscape(fv);
field.set(argument, nv);
}
}
}, new FieldFilter(){
@Override
public boolean matches(Field field) {
boolean typeMatch = String.class.equals(field.getType());
if (request!=null && "GET".equals(request.getMethod())) {
boolean requMatch = request.getParameterMap().containsKey(field.getName());
return typeMatch && requMatch;
}
return typeMatch;
}
});
}
}
web.xml 替换DispatcherServlet
<!--将org.springframework.web.servlet.DispatcherServlet替换成自己的DispatcherServletWrapper -->
<servlet>
<servlet-name>SpringMVC</servlet-name>
<!--安全测试 -->
<!-- <servlet-class>com.xx.xx.bmms.web.filter.DispatcherServletWrapper</servlet-class> -->
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring-mvc-bpbj.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
<async-supported>true</async-supported>
</servlet>
再次测试,已解决,不过此方案本人不推荐,原因(会影响业务,谁用谁知道 哈哈~)
列举方案2:写个filter(推荐)
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class XssFilter implements Filter{
FilterConfig filterConfig = null;
@Override
public void destroy() {
// TODO Auto-generated method stub
this.filterConfig = null;
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
// TODO Auto-generated method stub
chain.doFilter(new XssShellInterceptor( (HttpServletRequest) request), response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// TODO Auto-generated method stub
this.filterConfig = filterConfig;
}
XssShellInterceptor类(HttpServletRequestWrapper)
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class XssShellInterceptor extends HttpServletRequestWrapper{
public XssShellInterceptor(HttpServletRequest request) {
super(request);
}
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values==null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = cleanXSS(values[i]);
}
return encodedValues;
}
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
if (value == null) {
return null;
}
return cleanXSS(value);
}
public String getHeader(String name) {
String value = super.getHeader(name);
if (value == null)
return null;
return cleanXSS(value);
}
//过滤规则 目前我只配了过滤 script
private String cleanXSS(String value) {
//value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
//value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
//value = value.replaceAll("'", "& #39;");
//value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
return value;
}
}
web.xml 添加filter
<filter>
<filter-name>XssFilter</filter-name>
<filter-class>com.xx.xx.bmms.web.filter.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
再次测试,已解决。注意:如果web.xml中有多个filter 注意执行顺序。