springMVC通过Filter实现防止xss注入

版权声明:欢迎转载 https://blog.csdn.net/qq924862077/article/details/62053577

  跨站脚本工具(cross 斯特scripting),为不和层叠样式表(cascading style sheets,CSS)的缩写混淆,故将跨站脚本攻击缩写为XSS。

恶意攻击者往web页面里插入恶意scriptScript代码,当用户浏览该页之时,嵌入其中Web里面的Script代码会被执行,从而达到恶意攻击用户

的目的。防止XSS攻击简单的预防就是对Request请求中的一些参数去掉一些比较敏感的脚本命令。

原本是打算通过springMVC的HandlerInterceptor机制来实现的,通过获取request然后对request中的参数进行修改,结果虽然值修改了,但在Controller中获取的数值还是没有修改的。没办法就是要Filter来完成。

简单来说就是创建一个新的httpRequest类XsslHttpServletRequestWrapper,然后重写一些get方法(获取参数时对参数进行XSS判断预防)。

@WebFilter(filterName="xssMyfilter",urlPatterns="/*") 
public class MyXssFilter implements Filter{

	@Override
	public void init(FilterConfig filterConfig) throws ServletException {
		
	}

	@Override
	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
	        throws IOException, ServletException {
		XsslHttpServletRequestWrapper xssRequest = new XsslHttpServletRequestWrapper((HttpServletRequest)request);
		chain.doFilter(xssRequest , response); 
	}
	
	@Override
	public void destroy() {
		
	}
	
}
XSS代码的过滤是在XsslHttpServletRequestWrapper中实现的,主要是覆盖实现了getParameter,getParameterValues,getHeader这几个方法,然后对获取的value值进行XSS处理。

public class XsslHttpServletRequestWrapper extends HttpServletRequestWrapper {

	 HttpServletRequest xssRequest = null;  
	
	public XsslHttpServletRequestWrapper(HttpServletRequest request) {
		super(request);
		xssRequest = request;
	}
	
	
	 @Override  
	 public String getParameter(String name) {  
	      String value = super.getParameter(replaceXSS(name));  
	        if (value != null) {  
	            value = replaceXSS(value);  
	        }  
	        return value;  
	 }  
	 
	 @Override
	public String[] getParameterValues(String name) {
		 String[] values = super.getParameterValues(replaceXSS(name));
		 if(values != null && values.length > 0){
			 for(int i =0; i< values.length ;i++){
				 values[i] = replaceXSS(values[i]);
			 }
		 }
		return values;
	 }
	 
	 @Override  
	 public String getHeader(String name) {  
	  
	        String value = super.getHeader(replaceXSS(name));  
	        if (value != null) {  
	            value = replaceXSS(value);  
	        }  
	        return value;  
	    } 
	 /**
	  * 去除待带script、src的语句,转义替换后的value值
	  */
	public static String replaceXSS(String value) {
	    if (value != null) {
	        try{
	        	value = value.replace("+","%2B");   //'+' replace to '%2B'
	        	value = URLDecoder.decode(value, "utf-8");
	        }catch(UnsupportedEncodingException e){
	        }catch(IllegalArgumentException e){
	    }
	        
			// Avoid null characters
			value = value.replaceAll("\0", "");

			// Avoid anything between script tags
			Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
			value = scriptPattern.matcher(value).replaceAll("");

			// Avoid anything in a src='...' type of e­xpression
			scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
			value = scriptPattern.matcher(value).replaceAll("");

			scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
			value = scriptPattern.matcher(value).replaceAll("");

			// Remove any lonesome </script> tag
			scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
			value = scriptPattern.matcher(value).replaceAll("");

			// Remove any lonesome <script ...> tag
			scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
			value = scriptPattern.matcher(value).replaceAll("");

			// Avoid eval(...) e­xpressions
			scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
			value = scriptPattern.matcher(value).replaceAll("");

			// Avoid e­xpression(...) e­xpressions
			scriptPattern = Pattern.compile("e­xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
			value = scriptPattern.matcher(value).replaceAll("");

			// Avoid javascript:... e­xpressions
			scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
			value = scriptPattern.matcher(value).replaceAll("");
			// Avoid alert:... e­xpressions
			scriptPattern = Pattern.compile("alert", Pattern.CASE_INSENSITIVE);
			value = scriptPattern.matcher(value).replaceAll("");
			// Avoid onload= e­xpressions
			scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
			value = scriptPattern.matcher(value).replaceAll("");
			scriptPattern = Pattern.compile("vbscript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE);  
			value = scriptPattern.matcher(value).replaceAll("");
		}	        
	    return filter(value);
	}
		
		/**
		 * 过滤特殊字符
		 */
		public static String filter(String value) {
	        if (value == null) {
	            return null;
	        }        
	        StringBuffer result = new StringBuffer(value.length());
	        for (int i=0; i<value.length(); ++i) {
	            switch (value.charAt(i)) {
		            case '<':
		                result.append("<");
		                break;
		            case '>': 
		                result.append(">");
		                break;
		            case '"': 
		                result.append(""");
		                break;
		            case '\'': 
		                result.append("'");
		                break;
		            case '%': 
		                result.append("%");
		                break;
		            case ';': 
		                result.append(";");
		                break;
			        case '(': 
		                result.append("(");
		                break;
		            case ')': 
		                result.append(")");
		                break;
		            case '&': 
		                result.append("&");
		                break;
		            case '+':
		                result.append("+");
		                break;
		            default:
		                result.append(value.charAt(i));
		                break;
		        }  
	        }
	        return result.toString();
	    }
	
}



阅读更多
想对作者说点什么?

博主推荐

换一批

没有更多推荐了,返回首页