处理xss攻击

最新推荐文章于 2024-02-16 10:30:00 发布

大蓝鲸彭于晏

最新推荐文章于 2024-02-16 10:30:00 发布

阅读量1k

点赞数 2

文章标签： java

本文链接：https://blog.csdn.net/yeyechao/article/details/107682161

版权

前端处理方法：
function checkXSS(param){
var pattern = /<[^>]+>|alert(.*)/;
var str = “”;
$("[id=’"+ param +"’]").each(function () {
str += $(this).val();
});
if (pattern.test(str)){
$.umapMessager.alert([[#{common.hint}]], [[#{config.cvalue.validate}]]);
return true;
}
}

后端加过滤器的例子：

@PropertySource(value = {“classpath:security.properties”})
@ConfigurationProperties(prefix = “security”)
@Component
@Data
public class SecurityParam {
private String antiparam;
private String whiteparam;
}

security.properties：
#antiparam xcc/css
security.antiparam=<,>,%3c,set-cookie,src="javascript:,ProcessBuilder,alert(,expression(,function(,confirm(,prompt(,)(
security.whiteparam=<=

@WebFilter(filterName = “specialChar”, urlPatterns = {"/*"})
@Slf4j
public class AntiParamFilter implements Filter {
private String[] paramVulnerabilityFilter; //需要防护的非法关键字
private String[] whiteParams;

@Autowired
private SecurityParam securityParam;

@Override
public void destroy() {
}

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

    HttpServletRequest req = (HttpServletRequest) request;
    String result = null;
    Map<String, String[]> params = req.getParameterMap();

    for (String key : params.keySet()) { //每个参数进行漏洞检测，当检测到一个漏洞后就停止
        String[] paramValues = params.get(key);
        if (paramValues != null && paramValues.length > 0) {
            for (String paramValue : paramValues) {
                if (existSecurityVulnerability(paramValue.toLowerCase())) {
                    result = paramValue;
                    break;
                }

            }
        }
        if (StringUtils.isNotBlank(result)) {
            break;
        }
    }

    if (StringUtils.isNotBlank(result)) {
        log.error("Maybe There is Param is Invalid");
        writeVulnerability("Param is Invalid", response);
    } else {
        chain.doFilter(request, response);
    }
}

private void writeVulnerability(String message, ServletResponse response) {
    HttpServletResponse resp = (HttpServletResponse) response;
    resp.setContentType("text/html;charset=utf8");
    resp.setCharacterEncoding("UTF-8");
    PrintWriter out;
    try {
        out = response.getWriter();
        out.println(message);
    } catch (IOException e) {
        e.printStackTrace();
    }
}


/**
 * 安全漏洞判断,若存在漏洞返回true,否则返回false
 *
 * @param paramValue 需要检测的参数值
 * @return
 */
private boolean existSecurityVulnerability(String paramValue) {
    if (null != paramVulnerabilityFilter) {
        for (String valnerKey : paramVulnerabilityFilter) {
            int index = paramValue.indexOf(valnerKey);
            if (index > -1 && (!isWhiteParam(index, paramValue))) {
                return true;
            }
        }
    }
    return false;
}

/**
 * 参数白名单格式
 *
 * @param index
 * @param paramValue
 * @return
 */
private boolean isWhiteParam(int index, String paramValue) {
    if (null != whiteParams) {
        for (String whitekey : whiteParams) {
            if (index == paramValue.indexOf(whitekey)) {
                return true;
            }
        }
    }
    return false;
}

@Override
public void init(FilterConfig arg0) throws ServletException {
    String antiparam = securityParam.getAntiparam();
    paramVulnerabilityFilter = antiparam != null ? antiparam.toLowerCase().split(",") : null;

    String whiteParam = securityParam.getWhiteparam();
    whiteParams = whiteParam != null ? whiteParam.toLowerCase().split(",") : null;
}

}