本文詳細介紹bboss跨站攻擊白名單和跨站腳本攻擊防火牆配置
首先看一個完整的過濾器配置:
<filter>
<filter-name>CharsetEncoding</filter-name>
<filter-class>com.frameworkset.common.filter.SessionCharsetEncodingFilter</filter-class>
<init-param>
<param-name>RequestEncoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>ResponseEncoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>mode</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>checkiemodeldialog</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>refererDefender</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>refererwallwhilelist</param-name>
<param-value>*.bboss.com.cn,http://*.referer.ibm.com</param-value>
</init-param>
<init-param>
<param-name>wallfilterrules</param-name>
<param-value><![CDATA[><,%3E%3C,<iframe,%3Ciframe,<script,%3Cscript,<img,%3Cimg,alert(,alert%28,eval(,eval%28,style=,style%3D,[window['location'],{valueOf:alert},{toString:alert},[window["location"],new Function(]]>
</param-value>
</init-param>
<init-param>
<param-name>wallwhilelist</param-name>
<param-value><![CDATA[content,fileContent,extfieldvalues,questionString]]>
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>*.frame</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>*.page</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>*.freepage</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>/cxfservices/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>/jasperreport/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>/druid/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>/Kaptcha.jpg</url-pattern>
</filter-mapping> 過濾器中涉及到的跨站攻擊配置參數有:
<init-param>
<param-name>refererDefender</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>refererwallwhilelist</param-name>
<param-value>*.bboss.com.cn,http://*.referer.ibm.com</param-value>
</init-param> 參數含義說明:
refererDefender 是否啟用跨站攻擊防禦功能,true啟用,false關閉,預設關閉
refererwallwhilelist 配置跨站通路白名單, 開啟跨站攻擊防禦功能後,必須将允許跨站通路的可信域名配置到白名單中,否則不允許被不可信的域名通路。白名單配置規則:多個域名用逗号分隔,域名中可以并隻能包含一個*号通配符,多于的*号直接被忽略。
過濾器中涉及到的腳本攻擊配置參數有:
<init-param>
<param-name>wallfilterrules</param-name>
<param-value><![CDATA[><,%3E%3C,<iframe,%3Ciframe,<script,%3Cscript,<img,%3Cimg,alert(,alert%28,eval(,eval%28,style=,style%3D,[window['location'],{valueOf:alert},{toString:alert},[window["location"],new Function(]]>
</param-value>
</init-param>
<init-param>
<param-name>wallwhilelist</param-name>
<param-value><![CDATA[content,fileContent,extfieldvalues,questionString]]>
</param-value>
</init-param>
wallfilterrules 配置參數中非法的過濾詞,多個用逗号分隔,隻要請求參數包含其中的任意一個過濾詞,即為非法請求參數,參數值将被清空。
wallwhilelist 配置不需要檢測過濾詞的參數名稱清單,也就是白名單清單,多個用逗号分隔,出現在這個清單中的參數名稱不接收wallfilterrules規則掃描。
![vulnhub DC-4靶機實戰0X01 環境部署[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)