xss 如何在springboot项目中进行XSS过滤

如何在springboot项目中进行XSS过滤

简单介绍

XSS : 跨站脚本攻击(Cross Site Scripting)，为不和层叠样式表(Cascading Style Sheets, CSS)的缩写混淆，故将跨站脚本攻击缩写为XSS。恶意攻击者往Web页面里插入恶意html代码，当用户浏览该页之时，嵌入其中Web里面的html代码会被执行，从而达到恶意攻击用户的特殊目的。
过滤方式:主要经过对html标签进行转义的方式达到过滤的目的

话很少说,直接上代码

实现方式,共分为三步:

第一步:在springboot启动类上添加@ServletComponentScan注解,该注解会自动扫描到咱们自定义的filter(还有其余方式,这里就不赘述了,你们有兴趣的能够自行百度)

第二步:定义request的包装类,重写其中的关键方法

import com.alibaba.fastjson.JSON; import org.apache.commons.text.StringEscapeUtils; import javax.servlet.ReadListener; import javax.servlet.ServletInputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import java.io.*; import java.nio.charset.Charset; import java.util.HashMap; import java.util.Map; /** * ServletRequest包装类,对request作XSS过滤处理 * @author Jozz */ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); } @Override public String getHeader(String name) { return StringEscapeUtils.escapeHtml4(super.getHeader(name)); } @Override public String getQueryString() { return StringEscapeUtils.escapeHtml4(super.getQueryString()); } @Override public String getParameter(String name) { return StringEscapeUtils.escapeHtml4(super.getParameter(name)); } @Override public String[] getParameterValues(String name) { String[] values = super.getParameterValues(name); if(values != null) { int length = values.length; String[] escapseValues = new String[length]; for(int i = 0; i < length; i++){ escapseValues[i] = StringEscapeUtils.escapeHtml4(values[i]); } return escapseValues; } return values; } @Override public ServletInputStream getInputStream() throws IOException { String str=getRequestBody(super.getInputStream()); Map<String,Object> map= JSON.parseObject(str,Map.class); Map<String,Object> resultMap=new HashMap<>(map.size()); for(String key:map.keySet()){ Object val=map.get(key); if(map.get(key) instanceof String){ resultMap.put(key,StringEscapeUtils.escapeHtml4(val.toString())); }else{ resultMap.put(key,val); } } str=JSON.toJSONString(resultMap); final ByteArrayInputStream bais = new ByteArrayInputStream(str.getBytes()); return new ServletInputStream() { @Override public int read() throws IOException { return bais.read(); } @Override public boolean isFinished() { return false; } @Override public boolean isReady() { return false; } @Override public void setReadListener(ReadListener listener) { } }; } private String getRequestBody(InputStream stream) { String line = ""; StringBuilder body = new StringBuilder(); int counter = 0; // 读取POST提交的数据内容 BufferedReader reader = new BufferedReader(new InputStreamReader(stream, Charset.forName("UTF-8"))); try { while ((line = reader.readLine()) != null) { body.append(line); counter++; } } catch (IOException e) { e.printStackTrace(); } return body.toString(); } }

其中的StringEscapeUtils来自:

compile("org.apache.commons:commons-text:1.6")

第三步:自定义过滤器

import javax.servlet.*; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import java.io.IOException; /** * XSS过滤器 * @author Jozz */ @WebFilter(filterName="xssFilter",urlPatterns="/*") public class XssFilter implements Filter { @Override public void init(javax.servlet.FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest)servletRequest; String path = request.getServletPath(); //因为个人@WebFilter注解配置的是urlPatterns="/*"(过滤全部请求),因此这里对不须要过滤的静态资源url,做忽略处理(你们能够依照具体需求配置) String[] exclusionsUrls = {".js",".gif",".jpg",".png",".css",".ico"}; for (String str : exclusionsUrls) { if (path.contains(str)) { filterChain.doFilter(servletRequest,servletResponse); return; } } filterChain.doFilter(new XssHttpServletRequestWrapper(request),servletResponse); } @Override public void destroy() { } }