今天做了一个防xss攻击的filter,原理是利用继承HttpServletRequestWrapper类,来替换http请求的参数,,
因为项目中需要上传文件,所以涉及到了payload和formdata的区别,这两者的区别就不多说了,用Content-Type属性可用区分出,,,
需要两个类继承自HttpServletRequestWrapper
FormDataXssRequest.java
public class FormDataXssRequest extends HttpServletRequestWrapper {
/**
* Constructs a request object wrapping the given request.
*
* @param request
* @throws IllegalArgumentException if the request is null
*/
public FormDataXssRequest(HttpServletRequest request) {
super(request);
}
//替换非法字符
private String clean(String s){
System.out.println("do xss");
s=s.replaceAll("<","<").replaceAll("script","").replaceAll("eval\\((.*)\\)","");
return s;
}
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if(values==null){
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for(int i= 0;i<count;i++){
encodedValues[i] = clean(values[i]);
}
return encodedValues;
}
}
PayloadXssRequest .java
public class PayloadXssRequest extends HttpServletRequestWrapper {
private final String body;
/**
* Constructs a request object wrapping the given request.
*
* @param request
* @throws IllegalArgumentException if the request is null
*/
public PayloadXssRequest(HttpServletRequest request) throws IOException {
super(request);
StringBuilder stringBuilder = new StringBuilder();
BufferedReader bufferedReader = null;
try {
InputStream inputStream = request.getInputStream();
if (inputStream != null) {
bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
char[] charBuffer = new char[1024];
int bytesRead = -1;
while ((bytesRead = bufferedReader.read(charBuffer)) > 0) {
stringBuilder.append(charBuffer, 0, bytesRead);
}
} else {
stringBuilder.append("");
}
} catch (IOException ex) {
throw ex;
} finally {
if (bufferedReader != null) {
try {
bufferedReader.close();
} catch (IOException ex) {
throw ex;
}
}
}
body = stringBuilder.toString();
}
//替换非法字符
private String clean(String s) {
System.out.println("do xss :"+s);
s = s.replaceAll("script", "").replaceAll("eval\\((.*)\\)", "");
return s;
}
/**
* Read Request Body payload in Filter
* 读取输入流,,文件post时采用这种方式
*
* @return
* @throws IOException
*/
@Override
public BufferedReader getReader() throws IOException {
return new BufferedReader(new InputStreamReader(this.getInputStream()));
}
/**
* Read Request Body payload in Filter
* 读取输入流,,文件post时采用这种方式
*
* @return
* @throws IOException
*/
@Override
public ServletInputStream getInputStream() throws IOException {
System.out.println("getInputStream");
final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(clean(body).getBytes());//在这里过滤非法字符
ServletInputStream servletInputStream = new ServletInputStream() {
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener readListener) {
}
public int read() throws IOException {
return byteArrayInputStream.read();
}
};
return servletInputStream;
}
}
下面是Filter,,
public class XssFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
//替换了request
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
String currentURL = req.getRequestURI();//截取当前文件名用于比较
String head = req.getHeader("Content-Type");
if(currentURL.contains(".jsp")||currentURL.contains(".do")||currentURL.equals("/")){
System.out.println(head);
if(head!=null){
if(!head.contains("application/x-www-form-urlencoded")){//payload
chain.doFilter(new PayloadXssRequest(req),res);//核心,替换了request
System.out.println("payload");
}else {//form data
System.out.println("form data");
chain.doFilter(new FormDataXssRequest(req),res);
}
}else {
chain.doFilter(req,res);
}
}else {
chain.doFilter(req,res);
}
}
@Override
public void destroy() {
}
}
最后在web-xml加上这个过滤器就可以了