跨站请求伪造(CSRF):是一种挟制用户在当前已登录的Web应用程序上执行非本意的操作的攻击方法。跟跨网站脚本(XSS)相比,XSS 利用的是用户对指定网站的信任,CSRF 利用的是网站对用户网页浏览器的信任。
漏洞原理:用户C访问正常网站A时进行登录,浏览器保存A的cookie;用户C再访问攻击网站B,网站B上有某个隐藏的链接或者图片标签会自动请求网站A的URL地址,例如表单提交,传指定的参数;而攻击网站B在访问网站A的时候,浏览器会自动带上网站A的cookie;所以网站A在接收到请求之后可判断当前用户是登录状态,所以根据用户的权限做具体的操作逻辑,造成伪造成功。
跨域资源共享漏洞(CORS):CORS是一个W3C标准,全称是"跨域资源共享"(Cross-origin resource sharing)。它允许浏览器向跨源(协议 + 域名 + 端口)服务器,发出XMLHttpRequest请求,从而克服了AJAX只能同源使用的限制。
漏洞原理:也可以说是配置缺陷,请求时Origin字段的值没有做限制,默认为*,接受任意域名的请求。
修复代码如下:
public class RefererFilter implements Filter {
private static Logger logger = LoggerFactory.getLogger(RefererFilter.class);
private final String ORIGIN = "Origin";
private final String REFERER = "referer";
/** 允许访问的域名列表 */
private List<String> allowDomainList = new ArrayList<>();
/** 过滤器忽略处理的url规则 */
private List<String> excludes = new ArrayList<>();
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
if (logger.isDebugEnabled()) {
logger.debug("referer filter is open");
}
// 判断该url是否需要过滤
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
if (handleExcludeURL(req, resp)) {
chain.doFilter(request, response);
return;
}
if (null != allowDomainList && !allowDomainList.isEmpty()) {
logger.info("referer过滤");
String origin = req.getHeader(ORIGIN);
// 获取referer域
String referer = getRefererDomain(req.getHeader(REFERER));
logger.info("origin={}, referer={}", origin, referer);
if (origin == null || (allowDomainList.contains(origin) && (allowDomainList.contains(referer)))) {
// 有值,就继续执行下一个过滤链
chain.doFilter(request, response);
} else {
// 服务器拒绝
resp.setStatus(HttpStatus.FORBIDDEN.value());
}
} else {
chain.doFilter(request, response);
}
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
if (logger.isDebugEnabled()) {
logger.debug("referer filter init ====================");
}
String excludesTemp = filterConfig.getInitParameter("excludes");
if (excludesTemp != null) {
String[] url = excludesTemp.split(",");
for (int i = 0; url != null && i < url.length; i++) {
excludes.add(url[i]);
}
}
logger.info("excludes={}", excludes);
String allowDomainListTemp = filterConfig.getInitParameter("allowDomainList");
if (allowDomainListTemp != null) {
String[] url = allowDomainListTemp.split(",");
for (int i = 0; url != null && i < url.length; i++) {
allowDomainList.add(url[i]);
}
}
logger.info("allowDomainList={}", allowDomainList);
}
/**
* @param request
* @param response
* @return
*/
private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response) {
if (excludes == null || excludes.isEmpty()) {
return false;
}
String url = request.getServletPath();
logger.info("校验{}是否需要referer过滤。", url);
for (String pattern : excludes) {
Pattern p = Pattern.compile("^" + pattern);
Matcher m = p.matcher(url);
if (m.find()) {
return true;
}
}
return false;
}
/**
* 获取referer域名
*
* @param refererUrl
* @return
*/
private static String getRefererDomain(String referer) {
String result = referer;
if (StringUtils.isNotBlank(referer)) {
if (referer.startsWith("https://")) {
int i = referer.substring(8).indexOf("/");
if (i > 0) {
result = referer.substring(0, 8 + i);
}
} else if (referer.startsWith("http://")) {
int i = referer.substring(7).indexOf("/");
if (i > 0) {
result = referer.substring(0, 7 + i);
}
}
}
return result;
}
}
修复代码,仅供学习参考。