XSS是一种经常出现在web应用中的计算机安全漏洞,它允许恶意web用户将代码植入到提供给其它用户使用的页面中。比如这些代码包括HTML代码和客户端脚本。攻击者利用XSS漏洞旁路掉访问控制——例如同源策略(same origin policy)。这种类型的漏洞由于被黑客用来编写危害性更大的网络钓鱼(Phishing)攻击而变得广为人知。对于跨站脚本攻击,黑客界共识是:跨站脚本攻击是新型的“缓冲区溢出攻击“,而JavaScript是新型的“ShellCode”。
防XSS攻击
输入时的过滤是用一个filter来实现。
实现过程:
在web.xml加一个filter
<filter><filter-name>XssEscape</filter-name>
<filter-class>cn.pconline.morden.filter.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssEscape</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
在Spring-mvc.xml中添加如下配置:
<!-- 7.配置拦截器 -->
<mvc:interceptors>
<!-- 登录拦截器 -->
<mvc:interceptor>
<!-- 设置拦截路径,拦截所有的controller和资源,排除下面设置的资源 -->
<mvc:mapping path="/**"/>
<!-- 排除静态资源,对静态资源不做拦截 -->
<mvc:exclude-mapping path="/css/**"/>
<mvc:exclude-mapping path="/fonts/**"/>
<mvc:exclude-mapping path="/images/**"/>
<mvc:exclude-mapping path="/js/**"/>
<!-- 排除登录操作和获取验证码操作,对此类操作不做拦截 -->
<mvc:exclude-mapping path="/captcha"/>
<mvc:exclude-mapping path="/login"/>
<mvc:exclude-mapping path="/login.jsp"/>
<!-- 拦截器实现类 -->
<bean class="com.zyt.article.interceptor.LoginInterceptor" />
</mvc:interceptor>
</mvc:interceptors>
实现类:
/**
* 登录拦截器
* @author
*
*/
public class LoginInterceptor extends HandlerInterceptorAdapter{
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {
if(request.getSession().getAttribute("user")!=null){
return true;
}else{
response.setContentType("text/html; charset=UTF-8");
PrintWriter out = response.getWriter();
out.println("<script>");
out.println("window.parent.location='" + request.getContextPath() + "/login.jsp'");
out.println("</script>");
return false;
}
}
}
XssFilter 的实现方式是实现servlet的Filter接口
package cn.pconline.morden.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class XssFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
}
@Override
public void destroy() {
}
}
关键是XssHttpServletRequestWrapper的实现方式,继承servlet的HttpServletRequestWrapper,并重写相应的几个有可能带xss攻击的方法,如:
package cn.pconline.morden.filter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang3.StringEscapeUtils;
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String getHeader(String name) {
return StringEscapeUtils.escapeHtml4(super.getHeader(name));
}
@Override
public String getQueryString() {
return StringEscapeUtils.escapeHtml4(super.getQueryString());
}
@Override
public String getParameter(String name) {
return StringEscapeUtils.escapeHtml4(super.getParameter(name));
}
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if(values != null) {
int length = values.length;
String[] escapseValues = new String[length];
for(int i = 0; i < length; i++){
escapseValues[i] = StringEscapeUtils.escapeHtml4(values[i]);
}
return escapseValues;
}
return super.getParameterValues(name);
}
}