360[警告]跨站脚本攻击漏洞/java web利用Filter防止XSS/Spring MVC防止XSS攻击
就以这张图片做为开篇和问题引入吧javascript
<options>问题解决办法请参考上一篇php
如何获取360站长邀请码,360网站安全站长邀请码html
首先360可以提供一个这样平台去检测仍是不错的。可是当体检出来 看到漏洞报告,觉得360会像windows上360安全卫士同样帮咱们打好补丁。可是实际发现漏洞是要本身修复,而且php和asp aspx有360提供的补丁或者解决方案(想要看这些方案以前要申请为站长可是须要邀请码 这个能够在页面 页面左下角 360主机卫士感恩卡里面领取)。java
进入修复方案后发现java几乎没有提供一些建议,只能本身处理。开始使用搜索引擎搜索 java防止xss攻击代码。linux
http://www.yihaomen.com/article/java/409.htmweb
查到了这个方案spring
. 能够采用spring 里面提供的工具类来实现.
一, 第一种方法。shell
public class XSSFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void destroy() { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response); } }
再实现 ServletRequest 的包装类windows
import java.util.regex.Pattern; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public class XSSRequestWrapper extends HttpServletRequestWrapper { public XSSRequestWrapper(HttpServletRequest servletRequest) { super(servletRequest); } @Override public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); if (values == null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = stripXSS(values[i]); } return encodedValues; } @Override public String getParameter(String parameter) { String value = super.getParameter(parameter); return stripXSS(value); } @Override public String getHeader(String name) { String value = super.getHeader(name); return stripXSS(value); } private String stripXSS(String value) { if (value != null) { // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to // avoid encoded attacks. // value = ESAPI.encoder().canonicalize(value); // Avoid null characters value = value.replaceAll("", ""); // Avoid anything between script tags Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid anything in a src='...' type of expression scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Remove any lonesome </script> tag scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Remove any lonesome <script ...> tag scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid eval(...) expressions scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid expression(...) expressions scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid javascript:... expressions scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid vbscript:... expressions scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid onload= expressions scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); } return value; } }
还须要到web.xml里面配置安全
<filter> <filter-name>XSSFilter</filter-name> <filter-class>com.shanheyongmu.XSSFilter</filter-class> </filter> <filter-mapping> <filter-name>XSSFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
放上去以后 出现了 Java.lang.UnsupportedClassVersionError仍是classnotfound 项目跑起来就是首页404。 而后考虑了下linux环境是jdk 1.6而编译的都是maven3.3.0之后版本以及使用的jdk 1.7 版本问题(版本切换步骤能够参考【maven学习总结】里面的execption ,版本以前工做中遇到过因此有印象) 从新换jdk和eclipse设置jdk都是1.6以后编译。不报错了shell上,可是用360快速检测我已修复,仍是存在漏洞。因而继续百度
http://www.what21.com/programming/java/javaweb-summary/xss3.html 发现了不一样的XssFilter写法,尝试以后仍是失败。
https://my.oschina.net/wanglu/blog/267069 Springmvc安全 ,尝试以后失败,固然有些人视图解析器不一样 无加spring 的form标签 没法尝试。
http://www.cnblogs.com/Mainz/archive/2012/11/01/2749874.html 来到了本篇 本篇有3种解决方法
第二种方法
web.xml加上:
<context-param> <param-name>defaultHtmlEscape</param-name> <param-value>true</param-value> </context-param>
Forms加上:不少人对forms究竟是哪里不理解你能够 加在<form>标签以前 或者body以前
<spring:htmlEscape defaultHtmlEscape="true" />
由于是线上项目因此没法采用如下标签 https://my.oschina.net/wanglu/blog/267069
也就是spring的标签
<form:input path="someFormField" htmlEscape="true" />
可是<spring:htmlEscape defaultHtmlEscape="true" />在jsp视图解析中仍是能够的,而且这个添加方法 能够不改变原有项目。
所有部署完成后,遗憾的是仍是体检有原有漏洞。
从这篇获得了答案 而且修复了 http://huangpengpeng.iteye.com/blog/2091798
<!--@分隔 --> <filter> <filter-name>xssFilter</filter-name> <filter-class>com.yoro.core.web.XssFilter</filter-class> <init-param> <param-name>SplitChar</param-name> <param-value>@</param-value> </init-param> <init-param> <param-name>FilterChar</param-name> <param-value>>@<@\'@\"@\\@#@(@)</param-value> </init-param> <init-param> <param-name>ReplaceChar</param-name> <param-value>>'@<@‘@“@\@#@(@)</param-value> </init-param> </filter> <filter-mapping> <filter-name>xssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
package com.yoro.core.web; /** * @author zoro */ import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; public class XssFilter implements Filter { private String filterChar; private String replaceChar; private String splitChar; FilterConfig filterConfig = null; public void init(FilterConfig filterConfig) throws ServletException { this.filterChar=filterConfig.getInitParameter("FilterChar"); this.replaceChar=filterConfig.getInitParameter("ReplaceChar"); this.splitChar=filterConfig.getInitParameter("SplitChar"); this.filterConfig = filterConfig; } public void destroy() { this.filterConfig = null; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request,filterChar,replaceChar,splitChar), response); } }
package com.yoro.core.web; import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; /** * @author zoro */ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { private String[]filterChars; private String[]replaceChars; public XssHttpServletRequestWrapper(HttpServletRequest request,String filterChar,String replaceChar,String splitChar) { super(request); if(filterChar!=null&&filterChar.length()>0){ filterChars=filterChar.split(splitChar); } if(replaceChar!=null&&replaceChar.length()>0){ replaceChars=replaceChar.split(splitChar); } } public String getQueryString() { String value = super.getQueryString(); if (value != null) { value = xssEncode(value); } return value; } /** * 覆盖getParameter方法,将参数名和参数值都作xss过滤。<br/> * 若是须要得到原始的值,则经过super.getParameterValues(name)来获取<br/> * getParameterNames,getParameterValues和getParameterMap也可能须要覆盖 */ public String getParameter(String name) { String value = super.getParameter(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } public String[] getParameterValues(String name) { String[]parameters=super.getParameterValues(name); if (parameters==null||parameters.length == 0) { return null; } for (int i = 0; i < parameters.length; i++) { parameters[i] = xssEncode(parameters[i]); } return parameters; } /** * 覆盖getHeader方法,将参数名和参数值都作xss过滤。<br/> * 若是须要得到原始的值,则经过super.getHeaders(name)来获取<br/> getHeaderNames 也可能须要覆盖 */ public String getHeader(String name) { String value = super.getHeader(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 将容易引发xss漏洞的半角字符直接替换成全角字符 * * @param s * @return */ private String xssEncode(String s) { if (s == null || s.equals("")) { return s; } try { s = URLDecoder.decode(s, "UTF-8"); } catch (UnsupportedEncodingException e) { e.printStackTrace(); } for (int i = 0; i < filterChars.length; i++) { if(s.contains(filterChars[i])){ s=s.replace(filterChars[i], replaceChars[i]); } } return s; } }
因为尝试较多,也比较混乱,也不肯定哪一个适用各位的状况,只能多查多参考。
此处再补充一个 其余防止Xss攻击代码写法 http://www.what21.com/programming/java/javaweb-summary/xss3.html。
后来搜索到了 http://www.cnblogs.com/wangdaijun/p/5652864.html Antisamy项目实现防XSS攻击
遗憾的是配置文件很难找 我在csdn找到了antisamy.xml,你们能够基于搜索关键字 Antisamy项目实现防XSS攻击多查查 。
小弟技术菜,而且思惟通常,求大神勿喷,给予指导和共同交流进步仍是能够的。
相关文章
- 1. PHP - 防止 XSS(跨站脚本攻击)
- 2. java 防止xss攻击
- 3. 防止跨站攻击——CSRFToken
- 4. XSS跨站脚本攻击与防护
- 5. XSS跨站脚本攻击与防御
- 6. 如何防止xss攻击
- 7. Xss攻击与防止
- 8. 如何防止XSS攻击?
- 9. JavaWeb之防止XSS攻击
- 10. 【转】Laravel 防止XSS攻击
- 更多相关文章...
- • 防止使用TCP协议扫描端口 - TCP/IP教程
- • 使用TCP协议检测防火墙 - TCP/IP教程
- • Java Agent入门实战(一)-Instrumentation介绍与使用
- • Java Agent入门实战(三)-JVM Attach原理与使用
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
相关文章
- 1. PHP - 防止 XSS(跨站脚本攻击)
- 2. java 防止xss攻击
- 3. 防止跨站攻击——CSRFToken
- 4. XSS跨站脚本攻击与防护
- 5. XSS跨站脚本攻击与防御
- 6. 如何防止xss攻击
- 7. Xss攻击与防止
- 8. 如何防止XSS攻击?
- 9. JavaWeb之防止XSS攻击
- 10. 【转】Laravel 防止XSS攻击