1.跨站点脚本编制
解决办法:增加过滤类,在web中进行配置
public class XssEscapeFilter inplements Filter{
public XssEscapeFilter(){}
public void destory(){}
public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException{
HttpServletRequest req=(HttpServletRequest)request;
HttpServletResponse rep=(HttpServletResponse)reponse;
Enumeration<?> params=erq.getParameterName();
String param=null;
while(params.hasMoreElements()){
param = (String)param.nextElement();
String paramValue = req.getParameter(param);
if(checkSQLInject(paramValue)){
req.sendRedirect(req.getContextPath()+"erroe.jsp");
}
}
chain.doFilter(request,response);
}
public void init(FilterConfig fConfig)throw ServletException{}
public static boolean checkSQLInject(String str){
if(str==null||str!=null&&str==""){
return false;
}
String[] inj_stra={"script","mid","master","truncate","insert","select","delete","update","declare","iframe","'","onreadystatechange","alert","atestu","\"","<",">","(",")","\\","svg","confirm","prompt","","oload","onmouseover","onfocus","onerror","eval"}
}
str=str.toLowerCase();
for(int i=0;i<inj_stra.length;i++){
if(str.indexOf(inj_stra[i]>=0)){
return true;
}
}
return false;
}
web中的配置
<filter>
<display-name>XssEscapeFilter</display-name>
<filter-name>XssEscapeFilter</filter-name>
<filter-class>com.zcl.xss.XssEscapeFilter</filter-class>
<init-param>
<param-name>characterEncoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>XssEscapeFilter</filter-name>
<url-pattern>*.action</url-pattern>
</filter-mapping>
2.跨站点请求伪造
解决办法:增加RefererFilter 进行校验ip,代码如下:
public class ReferFilter extends HttpServlet implments Filter{
private FilterConfig filterConfig;
@Override
public void doFilter(ServletRequest req,ServletResponse res,FilterChain chain)throws IOException,ServletException{
HttpServletRequest request = (HttpServletRequest)req;
HttpServletResponse response = (HttpServletResponse)rep;
String referer=request.getHeader("referer");
String hostStr="";
String[] refStr={};
if(referer!=null&&referer.length()>7){
refStr=referer.substring(7).split(":");
hostStr=refStr[0];
}
if(referer!=null&&!hostStr.contains(request.getServerName)){
request.getRequestDispatcher("error.jsp").forward(request,response);
}else{
chain.doFilter(request,reponse);
}
}
@Override
public void init(FilterConfig config)throws ServletException{
this.filterConfig=config;
}
public void destory(){
this.filterConfig = null;
}
}
web中的配置
<filter>
<display-name>ReferFilter</display-name>
<filter-name>ReferFilter</filter-name>
<filter-class>com.zcl.xss.ReferFilter</filter-class>
<init-param>
<param-name>characterEncoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ReferFilter</filter-name>
<url-pattern>*.action</url-pattern>
</filter-mapping>
3.已解密的登录请求
解决办法:使用AES加密进行前后端加解密
4.登录错误消息凭证枚举
解决办法: 错误提示消息统一