本文作者:佚名

JSP spring boot / cloud 使用filter防止XSS

佚名 2019-04-25 418
摘要:JSP spring boot / cloud 使用filter防止XSS一.前言XSS(跨站脚本攻击)跨站脚本攻击(Cross Site Scripting),为不和层叠样式表(Ca


JSP spring boot / cloud 使用filter防止XSS

一.前言

XSS(跨站脚本攻击)

跨站脚本攻击(Cross Site scripting),为不和层叠样式表(Cascading Style Sheets, CSS)的缩写混淆,故将跨站脚本攻击缩写为XSS。恶意攻击者往Web页面里插入恶意script代码,当用户浏览该页之时,嵌入其中Web里面的script代码会被执行,从而达到恶意攻击用户的目的。

二.思路

基于filter拦截,将特殊字符替换为html转意字符 (如: "<" 转意为 "<") , 需要拦截的点如下:

  • 请求头 requestHeader
  • 请求体 requestBody
  • 请求参数 requestParameter

三.实现

1.创建XssHttpServletRequestWrapper类

在获取请求头,请求参数的这些地方,将目标值使用HtmlUtils.htmlEscape方法转意为html字符,而避免恶意代码参与到后续的流程中

package com.egridcloud.udf.core.xssimport javax.servlet.http.HttpServletRequestimport javax.servlet.http.HttpServletRequestWrapperimport org.springframework.web.util.HtmlUtilspublic class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {  public XssHttpServletRequestWrapper(HttpServletRequest request) {  super(request) } @Override public String getHeader(String name) {  String value = super.getHeader(name)  return HtmlUtils.htmlEscape(value) } @Override public String getParameter(String name) {  String value = super.getParameter(name)  return HtmlUtils.htmlEscape(value) } @Override public String[] getParameterValues(String name) {  String[] values = super.getParameterValues(name)  if (values != null) {   int length = values.length   String[] escapsevalues = new String[length]   for (int i = 0 i < length i++) {    escapsevalues[i] = HtmlUtils.htmlEscape(values[i])   }   return escapsevalues  }  return super.getParameterValues(name) }}

2.创建XssStringJsonSerializer类

其次是涉及到json转换的地方,也一样需要进行转意,比如,rerquestBody,responseBody

package com.egridcloud.udf.core.xssimport java.io.IOExceptionimport org.springframework.web.util.HtmlUtilsimport com.fasterxml.jackson.core.JsonGeneratorimport com.fasterxml.jackson.databind.JsonSerializerimport com.fasterxml.jackson.databind.SerializerProviderpublic class XssStringJsonSerializer extends JsonSerializer<String> { @Override public Class<String> handledType() {  return String.class } @Override public void serialize(String value, JsonGenerator jsonGenerator,   SerializerProvider serializerProvider) throws IOException {  if (value != null) {   String encodedValue = HtmlUtils.htmlEscape(value)   jsonGenerator.writeString(encodedValue)  } }}

3.创建Bean

在启动类中,创建XssObjectMapper的bean,替换spring boot原有的实例,用于整个系统的json转换.

  @Bean @Primary public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {  //解析器  ObjectMapper objectMapper = builder.createXmlMapper(false).build()  //注册xss解析器  SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer")  xssModule.addSerializer(new XssStringJsonSerializer())  objectMapper.registerModule(xssModule)  //返回  return objectMapper }

4.创建XssFilter

首先是拦截所有的请求,然后在doFilter方法中,将HttpServletRequest强制类型转换成XssHttpServletRequestWrapper

然后传递下去.

package com.egridcloud.udf.core.xssimport java.io.IOExceptionimport javax.servlet.Filterimport javax.servlet.FilterChainimport javax.servlet.FilterConfigimport javax.servlet.ServletExceptionimport javax.servlet.ServletRequestimport javax.servlet.ServletResponseimport javax.servlet.annotation.WebFilterimport javax.servlet.http.HttpServletRequestimport org.slf4j.Loggerimport org.slf4j.LoggerFactory@WebFilter(filterName = "xssFilter", urlPatterns = " private static final Logger LOGGER = LoggerFactory.getLogger(XssFilter.class) @Override public void init(FilterConfig filterConfig) throws ServletException {  LOGGER.debug("(XssFilter) initialize") } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)   throws IOException, ServletException {  XssHttpServletRequestWrapper xssRequest =    new XssHttpServletRequestWrapper((HttpServletRequest) request)  chain.doFilter(xssRequest, response) } @Override public void destroy() {  LOGGER.debug("(XssFilter) destroy") }}

四.结束

本文虽基于spring boot实现主题,但是思路是一致的,不限于任何框架.

感谢阅读,希望能帮助到大家,谢谢大家对本站的支持!

未经允许不得转载:

作者:佚名,标题:JSP spring boot / cloud 使用filter防止XSS,原文地址:https://www.vfjianzhan.com/java/201904/2837.html发布于2019-04-25
转载或复制请以超链接形式并注明出处DESTOON

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏