简单总结一下:
xss:跨站脚本攻击,通过前端input将js脚本注入到后台
sql注入:将恶意的sql命令注入到后台数据库引擎执行
csrf:跨站请求伪造,以用户身份在攻击页面对目标网站发起伪造用户操作的请求
其中xss和sql注入可以通过拦截请求并进行特殊字符过滤来防御,而csrf需要进行referer检测和token校验进行防御,如果只做了referer检测,在实际的第三方机构检测中,csrf漏洞还是存在的,所以需要进行token校验,token校验在这里不做过多说明,只进行referer检测。
首先创建一个过滤器:
package com.net.web.filter;
import java.io.IOException;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.Iterator;
import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.net.pva.sysconfig.AppConfig;
import com.net.web.common.UserTools;
import com.net.web.utils.XssFilterHttpServletRequestWrapper;
/**
* @Title XssAndSqlFilter.java
* @Description 防XSS、sql注入和CSRF漏洞 filter
* @author 2Dark
*/
public class XssAndSqlFilter implements Filter {
//获取请求url白名单
public static final String CSRF_WHITE_URL = AppConfig.get("csrf.white.url");
//获取sql注入拦截接口白名单(这些接口传递敏感参数时不会进行拦截,直接放行)
public static final String SQL_WHITE_API = AppConfig.get("sql.white.api");
protected FilterConfig filterConfig = null;
protected boolean ignore = true;
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
this.filterConfig = arg0;
//this.inj_str = filterConfig.getInitParameter("keywords");
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
javax.servlet.FilterChain chain) throws IOException,
ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
//请求头检测
Enumeration<String> enumParams = req.getHeaderNames();
while (enumParams.hasMoreElements()) {
String headName = enumParams.nextElement();
headName = headName.toLowerCase();
String headValue = req.getHeader(headName);
headValue = headValue.toLowerCase();
if (headName.equals("referer")) {
if (isCSRFAttack(headValue)) {
return;
}
}
}
// //