Web安全常见攻击手段
XSS、SQL注入、防盗链、CSRF、上传漏洞
一、 XSS攻击
- 什么是XSS攻击手段
XSS攻击使用Javascript脚本注入进行攻击
例如在提交表单后,展示到另一个页面,可能会受到XSS脚本注入,读取本地cookie远程发送给黑客服务器端。 - 表单提交数据
- 下面由 thymeleaf + spring Boot 2.2.4 代码实现:
1、省略创建maven工程步骤
2.、修改pom.xml
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.2.4.RELEASE</version>
</parent>
<dependencies>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<!-- mysql 依赖 -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
</dependency>
<!-- SpringBoot 对lombok 支持 -->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
<!-- springboot-log4j -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j</artifactId>
<version>1.3.8.RELEASE</version>
</dependency>
<!-- SpringBoot web 核心组件 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</dependency>
<!-- springboot-aop 技术 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-aop</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/commons-lang/commons-lang -->
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<version>2.6</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
</dependencies>
3、创建application.yml
spring:
mvc:
static-path-pattern: template/*
datasource:
type: com.alibaba.druid.pool.DruidDataSource # 当前数据源操作类型
driver-class-name: org.gjt.mm.mysql.Driver # mysql驱动包
url: jdbc:mysql://localhost:3306/could?useUnicode=true&characterEncoding=utf-8&useSSL=false
username: root
password: root
thymeleaf:
#编码格式
encoding: utf-8
#是否开启缓存
cache: false
#后缀
suffix: .html
#设置不严格的html
mode: LEGACYHTML5
#前缀,也就是模板存放的路径
prefix: classpath:/templates/
server:
port: 80
4、创建colud测试数据库和user表
CREATE TABLE `user` (
`pwd` varchar(255) DEFAULT NULL,
`id` int(11) NOT NULL AUTO_INCREMENT COMMENT '自增ID',
`user` varchar(64) NOT NULL COMMENT '用户名',
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=20599 DEFAULT CHARSET=utf8 COMMENT='用户表';
5、创建启动类XssApplication.java