XSS cross-site scripting attacks and preventive measures

1: Cross-site scripting attacks

The full name of XSS is Cross Site Scripting, that is, cross-site scripting. XSS occurs when an unexpected script instruction appears and is executed during the process of rendering the HTML document in the target user's browser on the target website.

Here we mainly pay attention to four points: 1. Target users of the target website; 2. Browser; 3. Unexpected; 4. Script.

Two: The principle of cross-site scripting attacks

Mainly, hackers can attack the site by modifying the transmitted parameters, or hackers can attack the site by stealing user information

3: Preventive measures for cross-site scripting attacks

For most of the cross-site attacks we can solve from the point of view of the program, the most common method is to write a filter

Filter configuration class

import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

/**
 * filter配置类
 * 
 * @author : lizhangyu
 * @date : 2020-04-21
 */
@Configuration
public class FilterConfig {
    
    

    @Bean
    public FilterRegistrationBean registerXssFilter() {
    
    
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setFilter(new XssFilter());
        registration.addUrlPatterns("/*");
        registration.setName("xssFilter");
        registration.setOrder(1);
        return registration;
    }

}

Xss filter class

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;

/**
 * xss拦截器
 * 
 * @author : lizhangyu
 * @date : 2020-04-21
 */
@WebFilter(filterName = "XssFilter", urlPatterns = "/*")
public class XssFilter implements Filter {
    
    

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    
    
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
    
    
        // 包装request
        XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
        chain.doFilter(xssRequest, response);
    }

    @Override
    public void destroy() {
    
    
    }

}

Filter request class

import com.lutongnet.cps.base.util.XssFilterUtil;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

/**
 * @author : lizhangyu
 * @date : 2020-04-21
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    
    

    public XssHttpServletRequestWrapper(HttpServletRequest request) {
    
    
        super(request);
    }

    @Override
    public String getParameter(String name) {
    
    
        String string = super.getParameter(name);
        // 返回值之前 先进行过滤
        return XssFilterUtil.stripXss(string);
    }

    @Override
    public String[] getParameterValues(String name) {
    
    
        // 返回值之前 先进行过滤
        String[] values = super
                .getParameterValues(name);
        if (values != null) {
    
    
            for (int i = 0; i < values.length; i++) {
    
    
                values[i] = XssFilterUtil.stripXss(values[i]);
            }
        }
        return values;
    }

}

Filter tools (most conditions for filtering)

import java.util.ArrayList;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

import org.apache.commons.lang.StringUtils;

/**
 * Xss过滤工具类
 * @author lizhangyu
 * @version 1.0
 * @date 2020/4/30 10:16
 */
public class XssFilterUtil {
    
    

    private static List<Pattern> patterns = null;
private static List<Object[]> getXssPatternList() {
    
    
        List<Object[]> ret = new ArrayList<Object[]>();

        ret.add(new Object[] {
    
     "<(no)?script[^>]*>.*?</(no)?script>",
                Pattern.CASE_INSENSITIVE });
        ret.add(new Object[] {
    
     "eval\\((.*?)\\)",
                Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL });
        ret.add(new Object[] {
    
     "expression\\((.*?)\\)",
                Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL });
        ret.add(new Object[] {
    
     "(javascript:|vbscript:|view-source:)*",
                Pattern.CASE_INSENSITIVE });
        ret.add(new Object[] {
    
     "<(\"[^\"]*\"|\'[^\']*\'|[^\'\">])*>",
                Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL });
		ret.add(new Object[] {
    
    
				"(window\\.location|window\\.|\\.location|document\\.cookie|document\\.|alert\\(.*?\\)|window\\.open\\()*",
				Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL });
		ret.add(new Object[] {
    
    "<+\\s*\\w*\\s*(oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|οnerrοr=|onerroupdate|onfilterchange|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmousout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onabort|onactivate|onafterprint|onafterupdate|onbefore|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload)+\\s*=+", 
				 Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL });
        return ret;
    }
		
	private static List<Pattern> getPatterns() {
    
    

       if (patterns == null) {
    
    

            List<Pattern> list = new ArrayList<Pattern>();

            String regex = null;
            Integer flag = null;
            int arrLength = 0;

            for (Object[] arr : getXssPatternList()) {
    
    
                arrLength = arr.length;
                for (int i = 0; i < arrLength; i++) {
    
    
                    regex = (String) arr[0];
                    flag = (Integer) arr[1];
                    list.add(Pattern.compile(regex, flag));
                }
            }

            patterns = list;
        }
        
        return patterns;
    }
		
	public static String stripXss(String value) {
    
    

        if(StringUtils.isNotBlank(value)) {
    
    

            Matcher matcher = null;

            for(Pattern pattern : getPatterns()) {
    
    
                matcher = pattern.matcher(value);
                // 匹配
                if(matcher.find()) {
    
    
                    // 删除相关字符串
                    value = matcher.replaceAll("");
                }
            }

            value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
        }
				
		return value;
    }

}

Most cross-site scripting attacks can be filtered through filters.

XSS cross-site scripting attacks and preventive measures

1: Cross-site scripting attacks

Two: The principle of cross-site scripting attacks

3: Preventive measures for cross-site scripting attacks

Guess you like