请移步我的这篇博客:
xss漏洞攻击,Filter实现xss漏洞_zlxls的博客-CSDN博客
该文章主要使用Filter针对Xss攻击,sql注入,服务器访问白名单,以及csrf进行安全校验
1,主要实现的是三大块功能:Xss攻击,sql注入,服务器白名单,以及csrf
2,此Filter为真实项目部署,在XssHttpServletRequestWrapper.java文件中的cleanSqlKeyWords方法为具体的Xss拦截逻辑,可根根据自己的需要进行完善
3,服务器白名单为单独的一个工具包,在文章最后给出
4,文章开发环境为JDK1.8,使用SpringBoot框架进行开发
5,文章会分享出整个Filter文件包,包含四个java文件:
5.1,public class CrosXssFilter implements Filter
5.2,public class CrosXssFilterConfig implements WebMvcConfigurer
5.3,public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter
5.4,public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper
6,服务器白名单校验的java文件:
6.1,public class ServerWhiteListUtil
主要类:XssHttpServletRequestWrapper 文件
package com.fc.test.common.filter;
import com.fc.test.common.exception.LllegalStringExtension;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
/**
* 防止sql注入,xss攻击
* 前端可以对输入信息做预处理,后端也可以做处理。
* @author zlxls
* @date 2020年05月18日
*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private final Logger log = LoggerFactory.getLogger(getClass());
//private static String key = "and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+";
private static String key = "and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|or|>|<|eval|javascript:|script|union|</";
private static Set<String> notAllowedKeyWords = new HashSet<String>(0);
private static String replacedString="INVALID";
static {
String keyStr[] = key.split("\\|");
for (String str : keyStr) {
notAllowedKeyWords.add(str);
}
}
private String currentUrl;
public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {
super(servletRequest);
currentUrl = servletRequest.getRequestURI();
}
/**覆盖getParameter方法,将参数名和参数值都做xss过滤。
* 如果需要获得原始的值,则通过super.getParameterValues(name)来获取
* getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
*/
@Override
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
if (value == null) {
return null;
}
return cleanXSS(value);
}
@Override
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values == null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = cleanXSS(values[i]);
}
return encodedValues;
}
@Override
public Map<String, String[]> getParameterMap(){
Map<String, String[]> values=super.getParameterMap();
if (values == null) {
return null;
}
Map<String, String[]> result=new HashMap<>();
for(String key:values.keySet()){
//System.out.println("这是getParameterMap的Key:"+key);
//String encodedKey=cleanXSS(key);//这个是前端传来的键值,不建议进行cleanXSS
String encodedKey=key;
int count=values.get(key).length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++){
encodedValues[i]=cleanXSS(values.get(key)[i]);
}
result.put(encodedKey,encodedValues);
}
return result;
}
/**
* 覆盖getHeader方法,将参数名和参数值都做xss过滤。
* 如果需要获得原始的值,则通过super.getHeaders(name)来获取
* getHeaderNames 也可能需要覆盖
*/
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
if (value == null) {
return null;
}
return cleanXSS(value);
}
private String cleanXSS(String valueP) {
// You'll need to remove the spaces from the html entities below
/*String value = valueP.replaceAll("<", "<");
value = value.replaceAll("", ">");
//value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
//value = value.replaceAll("'", "& #39;");
value = value.replaceAll("", "");
value = value.replaceAll("[\\\"\\\'][\\s]*(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("", "");
value = value.replaceAll("", "");
value = value.replaceAll("", "");
value = value.replaceAll("", "");*/
return cleanSqlKeyWords(valueP);
}
private String cleanSqlKeyWords(String value) {
if("password".equals(value)){
return value;
}
String paramValue = value;
for (String keyword : notAllowedKeyWords) {
String v= value.toLowerCase();
if(value.toLowerCase().indexOf(keyword)>=0){
//if (v.length() > keyword.length() + 4 && (v.contains(" "+keyword)||v.contains(keyword+" ")||v.contains(" "+keyword+" "))) {
//paramValue = StringUtils.replace(paramValue, keyword, replacedString);
paramValue = "";
log.error("sql注入:"+this.currentUrl + "已被过滤,因为参数中包含不允许sql的关键词(" + keyword+ ")"+";参数:"+value+";过滤后的参数:"+paramValue);
throw new LllegalStringExtension();
}
}
return paramValue;
}
}