Java防止XSS攻击
方法一:转义存储:添加XssFilter
1.在web.xml添加过滤器:
<!-- 解决xss漏洞 -->
<filter>
<filter-name>xssFilter</filter-name>
<filter-class>XXXXXX.XssFilter</filter-class>
</filter>
<!-- 解决xss漏洞 -->
<filter-mapping>
<filter-name>xssFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
2.添加XssFilter
public class XssFilter implements Filter{
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
//使用包装器
XssFilterWrapper xssFilterWrapper=new XssFilterWrapper((HttpServletRequest) servletRequest);
filterChain.doFilter(xssFilterWrapper,servletResponse);
}
@Override
public void destroy() {
}
}
3、添加 XssFilterWrapper.java类
public class XssFilterWrapper extends HttpServletRequestWrapper {
public XssFilterWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String getHeader(String name) {
return StringEscapeUtils.escapeHtml4(super.getHeader(name));
}
@Override
public String getQueryString() {
return StringEscapeUtils.escapeHtml4(super.getQueryString());
}
@Override
public String getParameter(String name) {
return StringEscapeUtils.escapeHtml4(super.getParameter(name));
}
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if(values != null) {
int length = values.length;
String[] escapseValues = new String[length];
for(int i = 0; i < length; i++){
escapseValues[i] = StringEscapeUtils.escapeHtml4(values[i]);
}
return escapseValues;
}
return super.getParameterValues(name);
}
}
自此,即能实现,
假如在网站的文本框输入<script>alert("OK");</script>,
提交到数据库后保存的数据为:&lt;script&gt;alert(&quot;OK&quot;);&lt;/script&gt;
二、
1.添加XssFilter ,(同上)
2..添加XssHttpServletRequestWrapper.java类
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
/**
* Constructs a request object wrapping the given request.
*
* @param request The request to wrap
* @throws IllegalArgumentException if the request is null
*/
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
if(StringUtils.isEmpty(value)){
return value;
}
else{
return cleanXSS(value);
}
}
@Override
public String getParameter(String name) {
String value = super.getParameter(name);
if(StringUtils.isEmpty(value)){
return value;
}
else{
return cleanXSS(value);
}
}
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if (values != null) {
int length = values.length;
String[] escapseValues = new String[length];
for (int i = 0; i < length; i++) {
escapseValues[i] = cleanXSS(values[i]);
}
return escapseValues;
}
return super.getParameterValues(name);
}
@Override
public ServletInputStream getInputStream() throws IOException {
String str=getRequestBody(super.getInputStream());
Map<String,Object> map= JSON.parseObject(str,Map.class);
Map<String,Object> resultMap=new HashMap<>();
for(String key:map.keySet()){
Object val=map.get(key);
if(map.get(key) instanceof String){
resultMap.put(key,cleanXSS(val.toString()));
}
else{
resultMap.put(key,val);
}
}
str=JSON.toJSONString(resultMap);
final ByteArrayInputStream bais = new ByteArrayInputStream(str.getBytes());
return new ServletInputStream() {
@Override
public int read() throws IOException {
return bais.read();
}
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener listener) {
}
};
}
private String getRequestBody(InputStream stream) {
String line = "";
StringBuilder body = new StringBuilder();
int counter = 0;
// 读取POST提交的数据内容
BufferedReader reader = new BufferedReader(new InputStreamReader(stream, Charset.forName("UTF-8")));
try {
while ((line = reader.readLine()) != null) {
body.append(line);
counter++;
}
} catch (IOException e) {
e.printStackTrace();
}
return body.toString();
}
private String cleanXSS(String value) {
if(StringUtils.isEmpty(value)){
return value;
}
else{
if (value != null) {
if (value != null) {
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks.
// value = ESAPI.encoder().canonicalize(value);
// Avoid null characters
value = value.replaceAll("", "");
// Avoid anything between script tags
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid anything in a src="http://www.yihaomen.com/article/java/..." type of expression
// 会误伤百度富文本编辑器
// scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
// value = scriptPattern.matcher(value).replaceAll("");
// scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
// value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome </script> tag
scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome <script ...> tag
scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid eval(...) expressions
scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid expression(...) expressions
scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid javascript:... expressions
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid vbscript:... expressions
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid onload= expressions
scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
}
}
return value;
}
}
}
两种方法,原理一致只是写法不一样,
第二种写法保存到数据库为:scriptalert("OK");/script
Java防止XSS攻击的更多相关文章
- java 防止xss攻击
http://blog.csdn.net/zhengbo0/article/details/40507519 http://blog.csdn.net/ghsau/article/details/17 ...
- 360[警告]跨站脚本攻击漏洞/java web利用Filter防止XSS/Spring MVC防止XSS攻击
就以这张图片作为开篇和问题引入吧 <options>问题解决办法请参考上一篇 如何获取360站长邀请码,360网站安全站长邀请码 首先360能够提供一个这样平台去检测还是不错的.但是当体检 ...
- 记一次JAVA WEB项目解决XSS攻击的办法(亲测有效)
什么是XSS攻击 简单来说,XSS 攻击是页面被注入了恶意的代码,度娘一大堆的东西,不想说 系统架构主要是SSM框架,服务层另外使用了DubboX. 为啥说这个,因为SpringMVC对于Xss攻 ...
- java防范跨站脚本攻击(XSS)
网络中心提示网站有数目众多的跨站脚本攻击(XSS)漏洞,经过查看代码,认为是JSP中绑定变量是未经处理直接写入的,而且整个项目中这样的做法太多,因为是多年前的,不好一个个更改,参照网上资料,通过加fi ...
- Java Web使用过滤器防止Xss攻击,解决Xss漏洞
转: Java Web使用过滤器防止Xss攻击,解决Xss漏洞 2018年11月11日 10:41:27 我欲乘风,直上九天 阅读数:2687 版权声明:本文为博主原创文章,转载请注明出处!有时候 ...
- java 拦截器解决xss攻击
一.xss攻击 XSS攻击通常指的是通过利用网页开发时留下的漏洞,通过巧妙的方法注入恶意指令代码到网页,使用户加载并执行攻击者恶意制造的网页程序.这些恶意网页程序通常是JavaScript,但实际上也 ...
- Java应对Flash XSS攻击
问题引出: 今天公司派出安全任务,说是要解决一个Flash XSS攻击,一看顿时傻眼,都没听说过.而且flash已经淘汰了,根本没研究过flash,搜了资料才开始慢慢开始工作. 要求: 1.过滤URL ...
- XSS攻击及防御
XSS又称CSS,全称Cross SiteScript,跨站脚本攻击,是Web程序中常见的漏洞,XSS属于被动式且用于客户端的攻击方式,所以容易被忽略其危害性.其原理是攻击者向有XSS漏洞的网站中输入 ...
- XSS攻击的解决方法
在我上一篇<前端安全之XSS攻击>文中,并没有把XSS攻击的解决办法说完整,而XSS的攻击又那么五花八门,有没有一招“独孤九剑”能够抗衡,毕竟那么多情况场景,开发人员无法一一照顾过来,而今 ...
随机推荐
- 认识多渲染目标(Multiple Render Targets)技术【转】
http://www.cnblogs.com/hellohuan/archive/2008/12/01/1345359.html 首先,渲染到纹理是D3D中的一项高级技术.一方面,它很简单,另一方面它 ...
- HTML5的测试总结
HTML5其实也是web的一种,所以基本的web测试的一些重点,HTML5上都要过一遍,不过也有其特殊之处. [需求设计测试] 需求是否合理.是否有更好的实现方法或者功能的遗漏,以及原型图测试,包括用 ...
- 【Docker】Docker管理平台 Rancher ---- 你应该学学Rancher是怎么做容器的管理的
Elasticsearch is a Lucene-based search engine developed by the open-source vendor, elastic. With pri ...
- 用PHP上传文件时$_FILES中error返回值详解
用PHP上传文件时,我们会用程序去监听浏览器发送过来的文件信息,首先会通 过$_FILES[fieldName]['error']的不同数值来判断此欲上传的文件状态是否正常.$_FILES[field ...
- 2017.10.13 unable to open debugger port(127.0.0.1:10308)
参考来自:http://blog.csdn.net/qq_34360219/article/details/76169653 1.场景 突然间IDEA就跑不起项目了,报了如下的错误:unable to ...
- first core data
// // TableViewController.swift // TestCoreData // // import CoreData import UIKit class TableViewCo ...
- (八)Thymeleaf的 th:* 属性之—— 模板布局& th:with& 属性优先级
3.7 模板布局 模板名称:layout.html 3.7.1 th:fragment e.g.模板名为footer.html页面body部分如下: <body> <div th:f ...
- Iterating elements using NightWatchJS
1) used the following strategy to iterate over DOM elements using Nightwatch: // Executing a functio ...
- 转:HTTP协议--- multipart/form-data请求分析
转自:http://blog.csdn.net/five3/article/details/7181521 首先来了解什么是multipart/form-data请求: 根据http/1.1 rfc ...
- samba基本配置
安装启动不用说了 vim /etc/samba/smb.conf workgroup = WORKGROUP server string = Samba Server %vnetbios name = ...