跨站腳本攻擊(Cross Site Scripting),縮寫為XSS。惡意攻擊者往Web頁面裡插入惡意Script代碼,當使用者浏覽該頁之時,嵌入其中Web裡面的Script代碼會被執行,進而達到惡意攻擊使用者的目的。
防禦XSS攻擊
Servlet的方式
1、繼承HttpServletRequestWrapper,實作對請求參數的過濾
/**
* xss請求擴充卡
*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
/**
* 對數組參數進行特殊字元過濾
*/
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if (values == null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = cleanXSS(values[i]);
}
return encodedValues;
}
/**
* 對參數中特殊字元進行過濾
*/
@Override
public String getParameter(String name) {
String value = super.getParameter(name);
if (value == null) {
return null;
}
return cleanXSS(value);
}
/**
* 擷取attribute,特殊字元過濾
*/
@Override
public Object getAttribute(String name) {
Object value = super.getAttribute(name);
if (value != null && value instanceof String) {
cleanXSS((String) value);
}
return value;
}
/**
* 對請求頭部進行特殊字元過濾
*/
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
if (value == null) {
return null;
}
return cleanXSS(value);
}
/**
* 轉義字元,使用該方法存在一定的弊端
*
* @param value
* @return
*/
private String cleanXSS2(String value) {
// 移除特殊标簽
value = value.replaceAll("<", "<").replaceAll(">", ">");
value = value.replaceAll("\\(", "(").replaceAll("\\)", ")");
value = value.replaceAll("'", "'");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
return value;
}
private String cleanXSS(String value) {
if (value != null) {
//推薦使用ESAPI庫來避免腳本攻擊,value = ESAPI.encoder().canonicalize(value);
// 避免空字元串
value = value.replaceAll(" ", "");
// 避免script 标簽
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 避免src形式的表達式
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 删除單個的 </script> 标簽
scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 删除單個的<script ...> 标簽
scriptPattern = Pattern.compile("<script(.*?)>",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 eval(...) 形式表達式
scriptPattern = Pattern.compile("eval\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 expression(...) 表達式
scriptPattern = Pattern.compile("expression\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 javascript: 表達式
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 vbscript:表達式
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 οnlοad= 表達式
scriptPattern = Pattern.compile("onload(.*?)=",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
}
return value;
}
}
2、實作Filter,實作XSS過濾器
/**
* xss過濾器
*/
public class XssFilter implements Filter {
FilterConfig filterConfig = null;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
//對請求進行攔截,防xss處理
chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
}
@Override
public void destroy() {
this.filterConfig = null;
}
}
3、注入XSS過濾器,兩種方式
第一種方式:配置web.xml
<!-- xss過濾器 -->
<filter>
<filter-name>XssSqlFilter</filter-name>
<filter-class>cn.aric.xss.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssSqlFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
第二種方式:注解
/**
* 注入Xss過濾器(注解方式)
*/
public class WebInitializer implements WebApplicationInitializer{
@Override
public void onStartup(ServletContext servletContext) throws ServletException {
//添加監聽器
servletContext.addListener(RequestContextListener.class);
//添加過濾器
Dynamic xssFilterRegistration = servletContext.addFilter("XssFilter", XssFilter.class);
//添加映射規則
xssFilterRegistration.addMappingForUrlPatterns(
EnumSet.of(DispatcherType.REQUEST,DispatcherType.FORWARD,DispatcherType.INCLUDE),
false,
"/*");
}
}
Spring整合的方式
1、使用spring的HtmlUtils,可以使用StringEscapeUtils 中的過濾方法
/**
* 解決XSS跨站腳本攻擊和sql注入攻擊,使用spring的HtmlUtils,可以使用StringEscapeUtils 中的過濾方法
*/
public class XssSpringHttpServletRequestWrapper extends HttpServletRequestWrapper{
public XssSpringHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
/**
* 對數組參數進行特殊字元過濾
*/
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
String[] newValues = new String[values.length];
for (int i = 0; i < values.length; i++) {
//spring的HtmlUtils進行轉義
newValues[i] = HtmlUtils.htmlEscape(values[i]);
}
return newValues;
}
/**
* 攔截參數,并對其進行字元轉義
*/
@Override
public String getParameter(String name) {
return HtmlUtils.htmlEscape(name);
}
/**
* 攔截參數,并對其進行字元轉義
*/
@Override
public Object getAttribute(String name) {
return HtmlUtils.htmlEscape(name);
}
}
2、實作XSS過濾器
/**
* spring方式xss過濾器
*/
public class XssSpringFilter implements Filter{
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
chain.doFilter(new XssSpringHttpServletRequestWrapper(req), response);
}
@Override
public void destroy() {
}
}
3、配置XSS過濾器
<!-- spring方式的xss過濾器 -->
<filter>
<filter-name>xssSpringFilter</filter-name>
<filter-class>cn.aric.xss.XssSpringHttpServletRequestWrapper</filter-class>
</filter>
<filter-mapping>
<filter-name>xssSpringFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>