什么是Xss
答:百度百科中有详细介绍:https://baike.baidu.com/item/xss/917356
方案
建立过滤器将页面含有sql 或者js 脚本语句语句过滤掉再去请求到服务端接口。
步骤
- SpringBoot pom.xml 引入
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
<version>1.4</version>
</dependency>
- 新建XssAndSqlHttpServletRequestWrapper
package com.vtax.base.filter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
/**
*
* @ClassName: XssAndSqlHttpServletRequestWrapper
* @Description:TODO(xxsfileter 包装类)
* @author: drj
* @date: 2019年5月29日 下午5:02:55
*
* @Copyright: 2019
*
*/
public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {
private HttpServletRequest request;
public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
this.request = request;
}
/**
* 假如有有html 代码是自己传来的 需要设定对应的name 不走StringEscapeUtils.escapeHtml4(value) 过滤
*/
@Override
public String getParameter(String name) {
String value = request.getParameter(name);
if (!StringUtils.isEmpty(value)) {
value = StringEscapeUtils.escapeHtml4(value);
}
return value;
}
@Override
public String[] getParameterValues(String name) {
String[] parameterValues = super.getParameterValues(name);
if (parameterValues == null) {
return null;
}
for (int i = 0; i < parameterValues.length; i++) {
String value = parameterValues[i];
parameterValues[i] = StringEscapeUtils.escapeHtml4(value);
}
return parameterValues;
}
}
- 新建请求Json格式的解析 XssStringJsonSerializer
package com.vtax.base.filter;
import java.io.IOException;
import org.apache.commons.text.StringEscapeUtils;
import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.databind.JsonSerializer;
import com.fasterxml.jackson.databind.SerializerProvider;
/**
*
* @ClassName: XssStringJsonSerializer
* @Description:TODO(实现过滤json类型)
* @author: drj
* @date: 2019年5月29日 下午5:12:49
*
* @Copyright: 2019
*
*/
public class XssStringJsonSerializer extends JsonSerializer<String> {
@Override
public Class<String> handledType() {
return String.class;
}
/**
* 假如有有html 代码是自己传来的 需要设定对应的name 不走StringEscapeUtils.escapeHtml4(value) 过滤
*/
@Override
public void serialize(String value, JsonGenerator jsonGenerator, SerializerProvider serializerProvider)
throws IOException {
if (value != null) {
String encodedValue = StringEscapeUtils.escapeHtml4(value);
jsonGenerator.writeString(encodedValue);
}
}
}
- 最后就是如何调用他们呢?当然是过滤器XssFilter
package com.vtax.base.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Primary;
import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
import org.springframework.stereotype.Component;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.module.SimpleModule;
/**
*
* @ClassName: XssFilter
* @Description:TODO(防止xss 的过滤器)
* @author: drj
* @date: 2019年5月29日 下午5:05:51
*
* @Copyright: 2019
*
*/
@WebFilter(filterName = "xssFilter", urlPatterns = "/*", asyncSupported = true)
@Component
public class XssFilter implements Filter {
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
// TODO Auto-generated method stub
HttpServletRequest req = (HttpServletRequest) request;
XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(req);
chain.doFilter(xssRequestWrapper, response);
}
@Override
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
}
@Bean
@Primary
public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {
// 解析器
ObjectMapper objectMapper = builder.createXmlMapper(false).build();
// 注册xss解析器
SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer");
xssModule.addSerializer(new XssStringJsonSerializer());
objectMapper.registerModule(xssModule);
// 返回
return objectMapper;
}
}
@Primary 注解优先走这个Bean方法。
asyncSupported = true 配置支持异步,sync-supported是servlet 3.0后推出的新特性
总结
测试攻击脚本
<script>alert('drj')</script>
其他可以通过这个看看:https://blog.csdn.net/u012610902/article/details/80994242 写的挺多 可以测试看看效果。