一、钓鱼网站之XSS攻击原理分析
将表单提交的脚本:<script>for(var i=0;i<3;i++){alert("弹死你"+i);}</script> 中的特殊字符进行转义,禁止脚本执行。
pom.xml引入common-lang包
<dependency> <groupId>commons-lang</groupId> <artifactId>commons-lang</artifactId> <version>2.6</version> </dependency>
/** * xss过滤器 * Created by yz on 2018/4/9. */ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { private HttpServletRequest request; public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); this.request = request; } /** * 将request中的value值重写一下,将一些脚本参数 非法参数转换成html元素执行 * @param name * @return */ @Override public String getParameter(String name) { String value = this.request.getParameter(name); if(!StringUtils.isEmpty(value)){ System.out.println("转换前 value:"+value); value = StringEscapeUtils.escapeHtml(value); System.out.println("转换后 value:"+value); } return value; } }
import org.springframework.stereotype.Component; import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import java.io.IOException; /** * Created by yz on 2018/4/9. */ @Component public class XssFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { System.out.println("初始化方法..."); } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { System.out.println("正常拦截请求..."); HttpServletRequest req = (HttpServletRequest) request; XssHttpServletRequestWrapper xssWrapper = new XssHttpServletRequestWrapper(req); filterChain.doFilter(xssWrapper,response); } /** * 只执行一次 */ @Override public void destroy() { System.out.println("销毁请求..."); } }
/** * Created by yz on 2018/4/9. */ @Controller public class IndexController { @RequestMapping("/index") public ModelAndView index(HttpServletRequest request){ String name = request.getParameter("name"); System.out.println(name); ModelAndView modelAndView = new ModelAndView(); modelAndView.addObject("name",name); modelAndView.setViewName("index"); return modelAndView; } }
import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; /** * Created by yz on 2018/4/9. */ @SpringBootApplication public class Application { public static void main(String[] args) { SpringApplication.run(Application.class); } }
index.jsp
<%@ page contentType="text/html; charset=UTF-8" language="java"%> <html> <body> <h2>Hello World!</h2> <form name="form" method="post" action="<%=request.getContextPath() %>/index"> <input type="text" name="name"> <input type="submit" name="submit" value="提交"> </form> name:${name} <h3>我是A页面</h3> <img alt="" src="/log.png"> </body> </html>
二、web安全之图片防盗链
三、表单操作数据库SQL注入