bboss防止跨站攻擊政策
此前部落格中撰文介紹了
bboss 動态令牌機制輕松搞定表單重複送出的方法,本文介紹bboss防止跨站攻擊的方法。
通過增強bboss字元編碼轉換器的功能實作防止跨站攻擊功能:
com.frameworkset.common.filter.CharsetEncodingFilter
單純(不具備防止跨站攻擊能力)的字元編碼轉換過濾器的使用方法如下:
<filter>
<filter-name>CharsetEncoding</filter-name>
<filter-class>com.frameworkset.common.filter.CharsetEncodingFilter</filter-class>
<init-param>
<param-name>RequestEncoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>ResponseEncoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>mode</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>checkiemodeldialog</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>*.frame</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>*.page</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>*.freepage</url-pattern>
</filter-mapping> 這種情況下CharsetEncodingFilter是不具備防止跨站攻擊功能的,但是為其增加兩個init-param參數後就可以了:
wallfilterrules 指定黑名單單詞表,以逗号分隔多個單詞,隻要在參數值中出現其中的一個單詞,參數值就會被置為null(即參數被過濾掉)
wallwhilelist 指定不會被黑名單檢測的參數的名稱清單,多個參數以逗号分隔,白名單中的參數安全性需要應用程式自己控制,對值中出現的非法字元需要進行相應的處理後再輸出到客服端(比如,針對浏覽器的轉義處理等措施)
下面看一個具體的配置示例:
<filter>
<filter-name>CharsetEncoding</filter-name>
<filter-class>com.frameworkset.common.filter.CharsetEncodingFilter</filter-class>
<init-param>
<param-name>RequestEncoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>ResponseEncoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>mode</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>checkiemodeldialog</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>wallfilterrules</param-name>
<param-value><![CDATA[><,%3E%3C,<iframe,%3Ciframe,<script,%3Cscript,<img,%3Cimg,alert(,alert%28,eval(,eval%28,style=,style%3D]]>
</param-value>
</init-param>
<init-param>
<param-name>wallwhilelist</param-name>
<param-value><![CDATA[content,fileContent]]>
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>*.frame</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>*.page</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CharsetEncoding</filter-name>
<url-pattern>*.freepage</url-pattern>
</filter-mapping> 配置完畢後,可以通過IBM APPSCAN和Netsparker之類的安全掃描工具來驗證配置的有效性,同時可以根據測試結果或者實際情況調整wallfilterrules和wallwhilelist兩個參數的配置,直到你的系統變得足夠安全為止。
![“雲管邊端”協同的邊緣計算安全防護解決方案0 引 言1 5G 及邊緣計算2 邊緣計算面臨的風險3 “雲管邊端”安全防護技術4 “雲管邊端”安全防護實踐5 結 語[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)