1、跨站点请求伪造 跨站点脚本编制 通过框架钓鱼漏洞
主要是通过在url或参数中添加脚本如:
1、URL中添加<script>alert(1)</script>
2、参数value=<a href="http://demo.com"></a>。
添加一个过滤器对特殊字符进行拦截
- package com.xxx.sys.filter;
- import java.io.IOException;
- import java.util.Enumeration;
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- import org.apache.log4j.Logger;
- /**
- * 非法字符过滤器
- * 1.所有非法字符配置在web.xml中,如需添加新字符,请自行配置
- * 2.请注意请求与相应时的编码格式设置,否则遇到中文时,会出现乱码(GBK与其子集应该没问题)
- * @author lee
- *
- */
- public class CharFilter implements Filter {
- private Logger log = Logger.getLogger(CharFilter.class);
- private String encoding;
- private String[] legalNames;
- private String[] illegalChars;
- public void init(FilterConfig filterConfig) throws ServletException {
- encoding = filterConfig.getInitParameter("encoding");
- legalNames = filterConfig.getInitParameter("legalNames").split(",");
- illegalChars = filterConfig.getInitParameter("illegalChars").split(",");
- }
- public void destroy() {
- encoding = null;
- legalNames = null;
- illegalChars = null;
- }
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain filterChain) throws IOException, ServletException {
- HttpServletRequest req = (HttpServletRequest)request;
- HttpServletResponse res = (HttpServletResponse) response;
- //必须手动指定编码格式
- req.setCharacterEncoding(encoding);
- String tempURL = req.getRequestURI();
- log.info(tempURL);
- Enumeration params = req.getParameterNames();
- //是否执行过滤 true:执行过滤 false:不执行过滤
- boolean executable = true;
- //非法状态 true:非法 false;不非法
- boolean illegalStatus = false;
- String illegalChar = "";
- //对参数名与参数进行判断
- w:while(params.hasMoreElements()){
- String paramName = (String) params.nextElement();
- executable = true;
- //密码不过滤
- if(paramName.toLowerCase().contains("password")){
- executable = false;
- }else{
- //检查提交参数的名字,是否合法,即不过滤其提交的值
- f:for(int i=0;i<legalNames.length;i++){
- if(legalNames[i].equals(paramName)){
- executable = false;
- break f;
- }
- }
- }
- if(executable){
- String[] paramValues = req.getParameterValues(paramName);
- f1:for(int i=0;i<paramValues.length;i++){
- String paramValue = paramValues[i];
- f2:for(int j=0;j<illegalChars.length;j++){
- illegalChar = illegalChars[j];
- if(paramValue.indexOf(illegalChar) != -1){
- illegalStatus = true;//非法状态
- break f2;
- }
- }
- if(illegalStatus){
- break f1;
- }
- }
- }
- if(illegalStatus){
- break w;
- }
- }
- //对URL进行判断
- for(int j=0;j<illegalChars.length;j++){
- illegalChar = illegalChars[j];
- if(tempURL.indexOf(illegalChar) != -1){
- illegalStatus = true;//非法状态
- break;
- }
- }
- if(illegalStatus){
- //必须手动指定编码格式
- res.setContentType("text/html;charset="+encoding);
- res.setCharacterEncoding(encoding);
- res.getWriter().print("<script>window.alert('当前链接中存在非法字符');window.history.go(-1);</script>");
- }else{
- filterChain.doFilter(request, response);
- }
- }
- }
web.xml code
- <filter>
- <filter-name>charFilter</filter-name>
- <filter-class>com.xxx.sys.filter.CharFilter</filter-class>
- <init-param>
- <param-name>encoding</param-name>
- <param-value>UTF-8</param-value>
- </init-param>
- <init-param>
- <param-name>legalNames</param-name>
- <param-value>content1,ver,historyURL,listURL</param-value>
- </init-param>
- <init-param>
- <param-name>illegalChars</param-name>
- <param-value>|,$,@,',",\',\",<,>,(,),+,CR,LF,\",",\,http</param-value>
- </init-param>
- </filter>