1,关于XSS漏洞的知识,网上有很多文档,例如点击打开链接
2,关于XSS漏洞修复的知识也有很多,本文对本人修复XSS做下记录
3,Spring 中 XSS漏洞修复的可以参考 点击打开链接
4,但是以上方法仅仅适用于Spring 的修复,Struct有自己的拦截包装机制,完整的 Struct 中 Xss 漏洞修复,可以参考 点击打开链接
5,但是以上对Struct中Xss漏洞修复的代码有点多,我们知道对于一个已经维护多年的web项目而言,修复一个问题最好用尽可能少的代码完成,于是本人结合以上两篇文章给出修复方案
6,利用javax.servlet.Filter 和 org.apache.struts2.dispatcher.StrutsRequestWrapper 实现最小代码量拦截Xss攻击
7,Filer代码如下
public class XSSFilter implements Filter {
private static final Logger LOGGER = LoggerFactory.getLogger(XSSFilter.class);
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String currentURI = httpRequest.getRequestURI();
String targetURI = currentURI.substring(currentURI.indexOf("/", 1));
LOGGER.info("targetURI:{}", targetURI);
chain.doFilter(new XSSStrutsRequestWrapper((HttpServletRequest) request), response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void destroy() {
}
}
8,Wrapper代码如下
public class XSSStrutsRequestWrapper extends StrutsRequestWrapper {
private static final Logger LOG = LoggerFactory.getLogger(XSSStrutsRequestWrapper.class);
public XSSStrutsRequestWrapper(HttpServletRequest req) {
super(req);
}
@Override
public String getParameter(String name) {
name = StringEscapeUtils.escapeHtml4(name);
// 返回值之前 先进行过滤
return StringEscapeUtils.escapeHtml4(super.getParameter(name));
}
@Override
public String[] getParameterValues(String name) {
name = StringEscapeUtils.escapeHtml4(name);
// 返回值之前 先进行过滤
String[] values = super.getParameterValues(name);
if(values != null){
for (int i = 0; i < values.length; i++) {
values[i] = StringEscapeUtils.escapeHtml4(values[i]);
}
}
return values;
}
@Override
public Enumeration<String> getParameterNames() {
Enumeration<String> names = super.getParameterNames();
while(names.hasMoreElements()){
String name = names.nextElement();
name = StringEscapeUtils.escapeHtml4(name);
}
return names;
}
@Override
public Map getParameterMap() {
LOG.info("getParameterMap");
Map paramMap = super.getParameterMap();
if (CollectionUtils.isEmpty(paramMap)) {
return paramMap;
}
for (Object value : paramMap.values()) {
String[] str = (String[])value;
if (str != null) {
for (int i = 0; i < str.length; i++) {
str[i] = StringEscapeUtils.escapeHtml4(str[i]);
}
}
}
LOG.info("ParameterMap" + JSON.toJSONString(paramMap));
return paramMap;
}
}
9,web.xml中拦截器配置
<filter>
<filter-name>strutsXSSFilter</filter-name>
<filter-class>com.my.web.xss.XSSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>strutsXSSFilter</filter-name>
<url-pattern>*.action</url-pattern>
</filter-mapping>
10,以上对于filter的配置中要注意,url-pattern的匹配规则只有三种:
精确匹配:如:/mytest.action,只会匹配mytest.action这个url
路径匹配:如:/my/*,会匹配my为前缀的url
后缀匹配:如:*.action,会匹配.action为后缀url
11,以上仅对非multipart/form-data请求做拦截,涉及multipart/form-data的请求还需要在Filter中做请求校验,
然后再写一个org.apache.struts2.dispatcher.multipart.MultiPartRequestWrapper的类