java xss漏洞Filter

于 2017-05-18 11:23:52 发布
阅读量9.3k 收藏 4
点赞数
分类专栏: 网站安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_31307269/article/details/72461201
版权 
public class XssFilter implements Filter {
	private static final Logger logger = LogManager.getLogger(XssFilter.class);

	/**
	 * 排除部分URL不做过滤
	 */
	private List<String> excludeUrls = new ArrayList<String>();

	/**
	 * 公告新增、修改用到富文本,对标签进行转义
	 */
	private List<String> noticeUrls = new ArrayList<String>();

	public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain arg2)
			throws IOException, ServletException {
		HttpServletRequest req = (HttpServletRequest) arg0;
		HttpServletResponse response = (HttpServletResponse) arg1;
		String pathInfo = req.getPathInfo() == null ? "" : req.getPathInfo();
		String url = req.getServletPath() + pathInfo;
		String uri = req.getRequestURI();
		boolean isNoticeUrl = false;
		// 排除部分URL不做过滤。
		for (String str : excludeUrls) {
			if (uri.indexOf(str) >= 0) {
				logger.info("该URL不作校验:" + url);
				arg2.doFilter(req, response);
				return;
			}
		}
		for (String st : noticeUrls) {
			if (uri.indexOf(st) >= 0) {
				isNoticeUrl = true;
				break;
			}
		}
		// 获取请求所有参数,校验防止SQL注入,防止XSS漏洞

		Enumeration<?> params = req.getParameterNames();
		String paramN = null;
		while (params.hasMoreElements()) {
			paramN = (String) params.nextElement();
			String paramVale = req.getParameter(paramN);
			if (!paramN.toLowerCase().contains("password")) {
				logger.info(paramN + "==" + paramVale);
			}
			if (isNoticeUrl) {
				paramVale = xssEncode(paramVale);
			}
			// 校验是否存在SQL注入信息
			if (checkSQLInject(paramVale, url)) {
				errorResponse(response, paramN);
				return;
			}
		}
		arg2.doFilter(req, response);

	}

	private void errorResponse(HttpServletResponse response, String paramNm) throws IOException {
		String warning = "输入项中不能包含非法字符。";

		response.setContentType("text/html; charset=UTF-8");
		PrintWriter out = response.getWriter();

		out.println("{\"httpCode\":\"-9998\",\"msg\":\"" + warning + "\", \"fieldName\": \"" + paramNm + "\"}");
		out.flush();
		out.close();
	}

	public void destroy() {
	}

	public void init(FilterConfig filterconfig1) throws ServletException {
		// 读取文件
		String path = XssFilter.class.getResource("/").getFile();
		excludeUrls = readFile(path + "xssWhite.txt");
		noticeUrls.add("notice!saveNotice");
		noticeUrls.add("notice!updateNoticeById");
	}

	/**
	 * 读取白名单
	 * 
	 * @param fileName
	 * @return
	 */
	private List<String> readFile(String fileName) {
		List<String> list = new ArrayList<String>();
		BufferedReader reader = null;
		FileInputStream fis = null;
		try {
			File f = new File(fileName);
			if (f.isFile() && f.exists()) {
				fis = new FileInputStream(f);
				reader = new BufferedReader(new InputStreamReader(fis, "UTF-8"));
				String line;
				while ((line = reader.readLine()) != null) {
					if (!"".equals(line)) {
						list.add(line);
					}
				}
			}
		} catch (Exception e) {
			logger.error("readFile", e);
		} finally {
			try {
				if (reader != null) {
					reader.close();
				}
			} catch (IOException e) {
				logger.error("InputStream关闭异常", e);
			}
			try {
				if (fis != null) {
					fis.close();
				}
			} catch (IOException e) {
				logger.error("FileInputStream关闭异常", e);
			}
		}
		return list;
	}

	private String xssEncode(String s) {
		if (s == null || s.isEmpty()) {
			return s;
		}
		StringBuilder sb = new StringBuilder(s.length() + 16);
		for (int i = 0; i < s.length(); i++) {
			char c = s.charAt(i);
			switch (c) {
			case '>':
				sb.append('>');// 全角大于号
				break;
			case '<':
				sb.append('<');// 全角小于号
				break;
			case '\'':
				sb.append('‘');// 全角单引号
				break;
			case '\"':
				sb.append('“');// 全角双引号
				break;
			case '&':
				sb.append('&');// 全角
				break;
			case '\\':
				sb.append('\');// 全角斜线
				break;
			case '#':
				sb.append('#');// 全角井号
				break;
			case '(':
				sb.append('(');//
				break;
			case ')':
				sb.append(')');//
				break;
			default:
				sb.append(c);
				break;
			}
		}
		return sb.toString();
	}

	/**
	 * 
	 * 检查是否存在非法字符,防止SQL注入
	 * 
	 * @param str
	 *            被检查的字符串
	 * @return ture-字符串中存在非法字符,false-不存在非法字符
	 */
	public static boolean checkSQLInject(String str, String url) {
		if (StringUtils.isEmpty(str)) {
			return false;// 如果传入空串则认为不存在非法字符
		}

		// 判断黑名单
		String[] inj_stra = { "script", "mid", "master", "truncate", "insert", "select", "delete", "update", "declare",
				"iframe", "'", "onreadystatechange", "alert", "atestu", "xss", ";", "'", "\"", "<", ">", "(", ")", ",",
				"\\", "svg", "confirm", "prompt", "onload", "onmouseover", "onfocus", "onerror" };

		str = str.toLowerCase(); // sql不区分大小写

		for (int i = 0; i < inj_stra.length; i++) {
			if (str.indexOf(inj_stra[i]) >= 0) {
				logger.info("xss防攻击拦截url:" + url + ",原因:特殊字符,传入str=" + str + ",包含特殊字符:" + inj_stra[i]);
				return true;
			}
		}
		return false;
	}
}

走走停停的小码农
关注
  • 0
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值