防止XSS 攻击相关问题
XSS
XSS是跨站脚本攻击(Cross Site Scripting),为不和层叠样式表(Cascading Style Sheets, CSS)的缩写混淆,故将跨站脚本攻击缩写为XSS。恶意攻击者往Web页面里插入恶意Script代码,当用户浏览该页之时,嵌入其中Web里面的Script代码会被执行,从而达到恶意攻击用户的目的。(摘自百度百科)
举一个简单的例子:
在网页的输入框中输入
<script>alert(“Hellow! XSS”)</script>
问题来了,浏览器解析到以上代码时就会弹出信息框。
简而言之,XSS攻击就是让浏览器去执行网页中原本不存在的前端代码。
在实际应用中,XSS攻击可以通过脚本盗取网页登录的cookie值、实现网页恶意跳转等等…
XSS 分类
主要分为两类:
反射型XSS,又称非持久型XSS
存储型XSS,也称为持久型XSS
反射型XSS
攻击对于访问者而言是一次性的,发出请求时,XSS代码出现在URL中,作为输入提交到服务器端,服务器端解析后响应,XSS代码随响应内容一起传回给浏览器,最后浏览器解析执行XSS代码。这个过程像一次反射,故叫反射型XSS。
存储型XSS
存储型XSS和反射型XSS的差别仅在于,提交的代码会存储在服务器端(数据库,内存,文件系统等),意味着每次访问对应的页面就会执行XSS脚本。
防范手段
- 过滤,对
<script>、<img>、<a>
等标签进行过滤 - 编码,对输入的 <> 进行转换编码,转换后浏览器不会对该标签进行解释执行
- 限制,要达成XSS攻击往往需要较长的字符串,因此对于一些输入可以做长度预检
防止XSS攻击的具体实现
这里主要使用过滤手段对存储型XSS攻击进行防范:
思路
- 自定义一个Http请求的修饰类
- 自定义一个过滤器
- 注册过滤器
1. 自定义一个Http请求的修饰类
继承 ServletRequest 的http实现类 HttpServletRequestWrapper
- 问题: 这个修饰类为何重写 getReader() 和 getInputStream() ?
- 原因: 因为每个 request body 中的内容都是通过流的方式读取的,也就是说每个请求中body的内容只会被获取一次,我们使用过滤手段就是希望在过滤器中就将body中的数据读取并处理,然而servlet在处理请求的时候发现获取到的body为null,这明显不是我们想要的。
- 解决: 所以我们要将请求中的body数据保存一份,以便后续处理请求的时候能正常读取body中的数据。具体的方法就是,在构造这个修饰类的时候将当前请求对象中的body数据读取并保存一份,并重写 getReader() 和 getInputStream() 方法,以便在后续获取body数据时直接获取保存好的body数据。(具体看以下代码)
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
HttpServletRequest orgRequest = null;
private Map<String, String[]> parameterMap;
// 将body保存以便后续进行 参数校验(原因是 getReader()和 getInputStream() 只能读取一次)
private final byte[] body;
public XssHttpServletRequestWrapper(HttpServletRequest request, boolean isIncludeRichText) throws IOException {
super(request);
orgRequest = request;
parameterMap = request.getParameterMap();
StringBuilder sb = new StringBuilder();
String line;
while ((line = request.getReader().readLine()) != null) {
sb.append(line);
}
this.body = sb.toString().getBytes(StandardCharsets.UTF_8);
}
@Override
public BufferedReader getReader() throws IOException {
return new BufferedReader(new InputStreamReader(getInputStream()));
}
@Override
public ServletInputStream getInputStream() throws IOException {
final ByteArrayInputStream bais = new ByteArrayInputStream(body);
return new ServletInputStream() {
@Override
public int read() throws IOException {
return bais.read();
}
@Override
public boolean isFinished() {
// TODO Auto-generated method stub
return false;
}
@Override
public boolean isReady() {
// TODO Auto-generated method stub
return false;
}
@Override
public void setReadListener(ReadListener listener) {
// TODO Auto-generated method stub
}
};
}
/**
* 获取最原始的request
*
* @return
*/
public HttpServletRequest getOrgRequest() {
return orgRequest;
}
/**
* 获取最原始的request的静态方法
*
* @return
*/
public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
if (req instanceof XssHttpServletRequestWrapper) {
return ((XssHttpServletRequestWrapper) req).getOrgRequest();
}
return req;
}
/**
* 检查请求参数是否含有非法字符
* @return
*/
public final boolean checkParameter() {
Map<String, String[]> submitParams = new HashMap<String, String[]>(parameterMap);
Set<String> submitNames = submitParams.keySet();
for (String submitName : submitNames) {
Object submitValues = submitParams.get(submitName);
if ((submitValues instanceof String)) {
if (checkXSSAndSql((String) submitValues)) {
return true;
}
} else if ((submitValues instanceof String[])) {
for (String submitValue : (String[])submitValues){
if (checkXSSAndSql(submitValue)) {
return true;
}
}
}
}
return false;
}
public static boolean checkXSSAndSql(String value) {
boolean flag = false;
if (value != null) {
Pattern scriptPattern = Pattern.compile(
"<[\r\n| | ]*script[\r\n| | ]*>(.*?)</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE);
flag = scriptPattern.matcher(value).find();
if (flag) {
return flag;
}
scriptPattern = Pattern.compile("src[\r\n| | ]*=[\r\n| | ]*[\\\"|\\\'](.*?)[\\\"|\\\']",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
flag = scriptPattern.matcher(value).find();
if (flag) {
return flag;
}
// Remove any lonesome </script> tag
scriptPattern = Pattern.compile("</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE);
flag = scriptPattern.matcher(value).find();
if (flag) {
return flag;
}
// Remove any lonesome <script ...> tag
scriptPattern = Pattern.compile("<[\r\n| | ]*script(.*?)>",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
flag = scriptPattern.matcher(value).find();
if (flag) {
return flag;
}
// Avoid eval(...) expressions
scriptPattern = Pattern.compile("eval\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
flag = scriptPattern.matcher(value).find();
if (flag) {
return flag;
}
// Avoid e-xpression(...) expressions
scriptPattern = Pattern.compile("e-xpression\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
flag = scriptPattern.matcher(value).find();
if (flag) {
return flag;
}
// Avoid javascript:... expressions
scriptPattern = Pattern.compile("javascript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE);
flag = scriptPattern.matcher(value).find();
if (flag) {
return flag;
}
// Avoid vbscript:... expressions
scriptPattern = Pattern.compile("vbscript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE);
flag = scriptPattern.matcher(value).find();
if (flag) {
return flag;
}
// Avoid onload= expressions
scriptPattern = Pattern.compile("onload(.*?)=",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
flag = scriptPattern.matcher(value).find();
if (flag) {
return flag;
}
}
return flag;
}
}
2. 自定义一个过滤器
在自定义过滤器中分别对 get/put/post 请求参数进行处理,这里一旦检查到非法参数直接将错误响应前端(响应需要对跨域设置允许)。
具体处理方式可以自行定义
public class XssFilter implements Filter {
private static Logger logger = LoggerFactory.getLogger(XssFilter.class);
private static boolean IS_INCLUDE_RICH_TEXT = false;//是否过滤富文本内容
public List<String> excludes = new ArrayList<String>();
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,ServletException {
if(logger.isDebugEnabled()){
logger.debug("xss filter is open");
}
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
if(handleExcludeURL(req, resp)){
filterChain.doFilter(request, response);
return;
}
String method = "GET";
String param = "";
XssHttpServletRequestWrapper xssRequest = null;
if (request instanceof HttpServletRequest) {
method = ((HttpServletRequest) request).getMethod();
xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request, IS_INCLUDE_RICH_TEXT);
}
if ("POST".equalsIgnoreCase(method)||"PUT".equalsIgnoreCase(method)) {
param = XssFilter.getBodyString(xssRequest.getReader());
if(StringUtils.isNotBlank(param)){
if(XssHttpServletRequestWrapper.checkXSSAndSql(param)){
//检查到请求非法时的处理
resp.setHeader("Access-control-Allow-Origin", req.getHeader("Origin"));
resp.setHeader("Access-Control-Allow-Methods", req.getMethod());
resp.setHeader("Access-Control-Allow-Credentials", "true");
resp.setHeader("content-type", "text/html;charset=UTF-8");
resp.setStatus(HttpServletResponse.SC_OK);
PrintWriter out = resp.getWriter();
out.write(JSONObject.toJSONString(new ReturnValue<String>(ErrorCode.ERROR_UNKNOW, "您所访问的页面请求中有违反安全规则元素存在,拒绝访问!")));
return;
}
}
}
if (xssRequest.checkParameter()) {
//检查到请求非法时的处理
resp.setHeader("Access-control-Allow-Origin", req.getHeader("Origin"));
resp.setHeader("Access-Control-Allow-Methods", req.getMethod());
resp.setHeader("Access-Control-Allow-Credentials", "true");
resp.setHeader("content-type", "text/html;charset=UTF-8");
resp.setStatus(HttpServletResponse.SC_OK);
PrintWriter out = resp.getWriter();
out.write(JSONObject.toJSONString(new ReturnValue<String>(ErrorCode.ERROR_UNKNOW, "您所访问的页面请求中有违反安全规则元素存在,拒绝访问!")));
return;
}
filterChain.doFilter(xssRequest, response);
}
// 获取request请求body中参数
public static String getBodyString(BufferedReader br) {
String inputLine;
String str = "";
try {
while ((inputLine = br.readLine()) != null) {
str += inputLine;
}
br.close();
} catch (IOException e) {
System.out.println("IOException: " + e);
}
return str;
}
private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response) {
if (excludes == null || excludes.isEmpty()) {
return false;
}
String url = request.getServletPath();
for (String pattern : excludes) {
Pattern p = Pattern.compile("^" + pattern);
Matcher m = p.matcher(url);
if (m.find()) {
return true;
}
}
return false;
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
if(logger.isDebugEnabled()){
logger.debug("xss filter init......");
}
String isIncludeRichText = filterConfig.getInitParameter("isIncludeRichText");
if(StringUtils.isNotBlank(isIncludeRichText)){
IS_INCLUDE_RICH_TEXT = BooleanUtils.toBoolean(isIncludeRichText);
}
String temp = filterConfig.getInitParameter("excludes");
if (temp != null) {
String[] url = temp.split(",");
for (int i = 0; url != null && i < url.length; i++) {
excludes.add(url[i]);
}
}
}
@Override
public void destroy() {}
}
3. 注册过滤器
@Configuration
public class XssConfig {
@Bean
public FilterRegistrationBean<XssFilter> xssFilterRegistrationBean() {
FilterRegistrationBean<XssFilter> filterRegistrationBean = new FilterRegistrationBean<XssFilter>();
filterRegistrationBean.setFilter(new XssFilter());
filterRegistrationBean.setOrder(1);
filterRegistrationBean.setEnabled(true);
filterRegistrationBean.addUrlPatterns("/*");
Map<String, String> initParameters = Maps.newHashMap();
initParameters.put("excludes", "/favicon.ico,/img/*,/js/*,/css/*");
//isIncludeRichText设置富文本内容是否需要过滤
initParameters.put("isIncludeRichText", "true");
filterRegistrationBean.setInitParameters(initParameters);
return filterRegistrationBean;
}
}
注意: XssHttpServletRequestWrapper 修饰类中的 checkXSSAndSql() 方法是对请求参数的具体检查,可自行定义正则条件。