Table of contents
1.2, XSS attack classification
2.1, SPRINGBOOT XSS filter plug-in (MICA-XSS)
4. Analysis of the principle of MICA-XSS
I. Introduction
XSS attack, also known as cross-site scripting attack , usually refers to exploiting the loopholes left in the development of web pages, injecting malicious instruction codes into web pages through ingenious methods, so that users can load and execute web programs maliciously created by attackers . These malicious web programs are usually JavaScript, but can actually include Java, VBScript, ActiveX, Flash, or even plain HTML. After the attack is successful, the attacker may obtain various contents including but not limited to higher authority (such as performing some operations), private webpage content, sessions and cookies.
1.1, XSS attack process
For example, when designing a form, there is no relevant anti-XSS attack processing. The user submits relevant malicious code through this form, and the browser will execute the relevant code, thus launching an XSS attack. As shown below:
1.2, XSS attack classification
<span style="background-color:#fafafa"><span style="color:#000000"><code>XSS攻击具有三类:反射型、存储型和DOM XSS
</code></span></span>- 1
illustrate:
- Reflected XSS : By putting the XSS attack code on the request URL, submit it as input to the server side. After the server parses and submits, the XSS code will be sent back to the browser along with the response content, and finally the browser parses and executes the XSS code. Since the whole process is like a reflection, it is called reflected XSS. For example, the following request is initiated:
https://www.域名.com/index.php?xss=<script>alter(xss攻击)</script> - Stored XSS : It is "similar" to reflective XSS, but the difference is that the submitted XSS code will be stored on the server side, and when the page is requested next time, XSS attacks will also be triggered without submitting the XSS code. For example, when performing user registration, the user submits a piece of registration information containing XSS code to the server. When the user views personal information, the personal information will be parsed and executed by the browser as normal HTML and JS, thus triggering an XSS attack.
- DOM XSS : The difference from reflective and stored XSS is that DOM XSS does not require the participation of the server, and XSS attacks can be triggered through the DOM parsing of the browser, avoiding information verification and character filtering on the server side. For example, the following request is initiated:
https://www.域名.com/index.html#alert(xss攻击)
1.3. Attack method
There are many ways to attack XSS. Here we only introduce some commonly used XSS attack methods and their purpose, and explain the proposed Springboot project to prevent XSS attack solutions. For example:
-
Stealing cookies to obtain sensitive information.
-
Use the implanted Flash to further obtain higher permissions through the crossdomain permission setting; or use Java to obtain similar operations.
-
Use iframe, frame, XMLHttpRequest, or the above-mentioned Flash to perform some management actions as the (attacked) user, or perform some general operations such as posting Weibo, adding friends, and sending private messages.
-
Take advantage of the fact that the domain that can be attacked is trusted by other domains, and request some operations that are usually not allowed as a trusted source, such as conducting improper voting activities.
-
XSS on some pages with a large number of visits can attack some small websites and achieve the effect of DDoS attacks.
Many junior Springboot developers often fall for this trick, and recently this problem also occurred when testing personal projects. So in the Springboot project, how do we prevent XSS attacks?
Two, the solution
Through the introduction of XSS attacks, we know that XSS often attacks from form input, URL requests, and cookies. Therefore, we can prevent XSS attacks from the following aspects.
- XSS processing of form data
- XSS processing of URL request data (JSON)
- Set data release rules for URLs and server-side controller methods
In fact, these solutions do not need to be implemented by ourselves. The Maven plug-in corresponding to SpringBoot provides us with XSS security filter plug-ins: mica-core and mica-xss
2.1, SPRINGBOOT XSS filter plug-in (MICA-XSS)
<span style="background-color:#fafafa"><span style="color:#000000"><code> 添加Maven依赖后,便已经完成了XSS过滤配置。
</code></span></span>- 1
mica-xss component description :
- Perform xss processing on form-bound string types.
- Perform xss processing on json string data.
- Provides routing and controller method level pass rules.
<span style="background-color:#fafafa"><span style="color:#000000"><code class="language-java"><span style="color:#dd4a68"><span style="color:#999999"><</span>dependency<span style="color:#999999">></span></span>
<span style="color:#dd4a68"><span style="color:#999999"><</span>groupId<span style="color:#999999">></span></span>net<span style="color:#999999">.</span>dreamlu<span style="color:#a67f59"><</span><span style="color:#a67f59">/</span>groupId<span style="color:#a67f59">></span>
<span style="color:#dd4a68"><span style="color:#999999"><</span>artifactId<span style="color:#999999">></span></span>mica<span style="color:#a67f59">-</span>xss<span style="color:#a67f59"><</span><span style="color:#a67f59">/</span>artifactId<span style="color:#a67f59">></span>
<span style="color:#dd4a68"><span style="color:#999999"><</span>version<span style="color:#999999">></span></span><span style="color:#986801">2.0</span><span style="color:#986801">.9</span><span style="color:#a67f59">-</span>GA<span style="color:#a67f59"><</span><span style="color:#a67f59">/</span>version<span style="color:#a67f59">></span>
<span style="color:#a67f59"><</span><span style="color:#a67f59">/</span>dependency<span style="color:#a67f59">></span>
<span style="color:#dd4a68"><span style="color:#999999"><</span>dependency<span style="color:#999999">></span></span>
<span style="color:#dd4a68"><span style="color:#999999"><</span>groupId<span style="color:#999999">></span></span>net<span style="color:#999999">.</span>dreamlu<span style="color:#a67f59"><</span><span style="color:#a67f59">/</span>groupId<span style="color:#a67f59">></span>
<span style="color:#dd4a68"><span style="color:#999999"><</span>artifactId<span style="color:#999999">></span></span>mica<span style="color:#a67f59">-</span>core<span style="color:#a67f59"><</span><span style="color:#a67f59">/</span>artifactId<span style="color:#a67f59">></span>
<span style="color:#dd4a68"><span style="color:#999999"><</span>version<span style="color:#999999">></span></span><span style="color:#986801">2.1</span><span style="color:#986801">.0</span><span style="color:#a67f59">-</span>GA<span style="color:#a67f59"><</span><span style="color:#a67f59">/</span>version<span style="color:#a67f59">></span>
<span style="color:#a67f59"><</span><span style="color:#a67f59">/</span>dependency<span style="color:#a67f59">></span>
</code></span></span>2.2, MICA-XSS configuration
mica:
xss:
enabled: true
path-exclude-patterns:
path-patterns: /**3. Project actual combat
3.1. Project environment
Development tool : IDEA-2020.02 Springboot 2.4.1
Test tool : Google browser Postman
3.2. Test
3.2.1. Test GET request
XSS protection not set:
add annotation @XssCleanIgnore to skip XSS filtering
<span style="background-color:#fafafa"><span style="color:#000000"><code class="language-java"><span style="color:#0077aa">import</span> net<span style="color:#999999">.</span>dreamlu<span style="color:#999999">.</span>mica<span style="color:#999999">.</span>xss<span style="color:#999999">.</span>core<span style="color:#999999">.</span>XssCleanIgnore<span style="color:#999999">;</span>
<span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>GetMapping<span style="color:#999999">;</span>
<span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>RequestMapping<span style="color:#999999">;</span>
<span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>RestController<span style="color:#999999">;</span>
<span style="color:#708090">/**
* @author dell
*/</span>
<span style="color:#999999">@RestController</span>
<span style="color:#999999">@XssCleanIgnore</span> <span style="color:#708090">//设置该注解 用于跳过配置的Xss 防护</span>
<span style="color:#999999">@RequestMapping</span><span style="color:#999999">(</span><span style="color:#50a14f">"/"</span><span style="color:#999999">)</span>
<span style="color:#0077aa">public</span> <span style="color:#0077aa">class</span> IndexController <span style="color:#999999">{</span>
<span style="color:#999999">@GetMapping</span><span style="color:#999999">(</span><span style="color:#50a14f">"/xss"</span><span style="color:#999999">)</span>
<span style="color:#0077aa">public</span> String <span style="color:#dd4a68">xssGet</span><span style="color:#999999">(</span>String data<span style="color:#999999">)</span><span style="color:#999999">{</span>
System<span style="color:#999999">.</span>out<span style="color:#999999">.</span><span style="color:#dd4a68">println</span><span style="color:#999999">(</span>data<span style="color:#999999">)</span><span style="color:#999999">;</span>
<span style="color:#0077aa">return</span> data<span style="color:#999999">;</span>
<span style="color:#999999">}</span>
<span style="color:#999999">}</span>
</code></span></span>The effect is as follows:
Set up XSS protection:
remove the annotation @XssCleanIgnore, and return empty. The effect is as follows
3.2.2. Test POST request
3.2.2.1, Test POST request (XSS code is placed on the URL)
XSS protection is not set:
Add annotations @XssCleanIgnoreto skip XSS filtering and return data.
<span style="background-color:#fafafa"><span style="color:#000000"><code class="language-java"><span style="color:#0077aa">import</span> net<span style="color:#999999">.</span>dreamlu<span style="color:#999999">.</span>mica<span style="color:#999999">.</span>xss<span style="color:#999999">.</span>core<span style="color:#999999">.</span>XssCleanIgnore<span style="color:#999999">;</span>
<span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>PostMapping<span style="color:#999999">;</span>
<span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>RequestMapping<span style="color:#999999">;</span>
<span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>RestController<span style="color:#999999">;</span>
<span style="color:#708090">/**
* @author dell
*/</span>
<span style="color:#999999">@RestController</span>
<span style="color:#999999">@XssCleanIgnore</span> <span style="color:#708090">//设置该注解 用于跳过配置的Xss 防护</span>
<span style="color:#999999">@RequestMapping</span><span style="color:#999999">(</span><span style="color:#50a14f">"/"</span><span style="color:#999999">)</span>
<span style="color:#0077aa">public</span> <span style="color:#0077aa">class</span> IndexController <span style="color:#999999">{</span>
<span style="color:#999999">@PostMapping</span><span style="color:#999999">(</span><span style="color:#50a14f">"/xss"</span><span style="color:#999999">)</span>
<span style="color:#0077aa">public</span> String <span style="color:#dd4a68">xssPost</span><span style="color:#999999">(</span>String data<span style="color:#999999">)</span><span style="color:#999999">{</span>
System<span style="color:#999999">.</span>out<span style="color:#999999">.</span><span style="color:#dd4a68">println</span><span style="color:#999999">(</span>data<span style="color:#999999">)</span><span style="color:#999999">;</span>
<span style="color:#0077aa">return</span> data<span style="color:#999999">;</span>
<span style="color:#999999">}</span>
<span style="color:#999999">}</span>
</code></span></span>The effect is as follows:
Set up XSS protection:
remove the annotation @XssCleanIgnore, set up XSS protection, filter data, and return empty.
3.2.2.2, Test POST request (XSS code is placed in BODY)
XSS protection is not set:
<span style="background-color:#fafafa"><span style="color:#000000"><code class="language-java"><span style="color:#0077aa">import</span> net<span style="color:#999999">.</span>dreamlu<span style="color:#999999">.</span>mica<span style="color:#999999">.</span>xss<span style="color:#999999">.</span>core<span style="color:#999999">.</span>XssCleanIgnore<span style="color:#999999">;</span>
<span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>PostMapping<span style="color:#999999">;</span>
<span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>RequestBody<span style="color:#999999">;</span>
<span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>RequestMapping<span style="color:#999999">;</span>
<span style="color:#0077aa">import</span> org<span style="color:#999999">.</span>springframework<span style="color:#999999">.</span>web<span style="color:#999999">.</span>bind<span style="color:#999999">.</span>annotation<span style="color:#999999">.</span>RestController<span style="color:#999999">;</span>
<span style="color:#0077aa">import</span> java<span style="color:#999999">.</span>util<span style="color:#999999">.</span>Map<span style="color:#999999">;</span>
<span style="color:#708090">/**
* @author dell
*/</span>
<span style="color:#999999">@RestController</span>
<span style="color:#999999">@XssCleanIgnore</span>
<span style="color:#999999">@RequestMapping</span><span style="color:#999999">(</span><span style="color:#50a14f">"/"</span><span style="color:#999999">)</span>
<span style="color:#0077aa">public</span> <span style="color:#0077aa">class</span> IndexController <span style="color:#999999">{</span>
<span style="color:#999999">@PostMapping</span><span style="color:#999999">(</span><span style="color:#50a14f">"/xss"</span><span style="color:#999999">)</span>
<span style="color:#0077aa">public</span> String <span style="color:#dd4a68">xssPostBody</span><span style="color:#999999">(</span><span style="color:#999999">@RequestBody</span> Map<span style="color:#dd4a68"><span style="color:#999999"><</span>String<span style="color:#999999">,</span>String<span style="color:#999999">></span></span> body<span style="color:#999999">)</span><span style="color:#999999">{</span>
System<span style="color:#999999">.</span>out<span style="color:#999999">.</span><span style="color:#dd4a68">println</span><span style="color:#999999">(</span>body<span style="color:#999999">)</span><span style="color:#999999">;</span>
<span style="color:#0077aa">return</span> body<span style="color:#999999">.</span><span style="color:#dd4a68">get</span><span style="color:#999999">(</span><span style="color:#50a14f">"data"</span><span style="color:#999999">)</span><span style="color:#999999">;</span>
<span style="color:#999999">}</span>
<span style="color:#999999">}</span>
</code></span></span>The effect is as follows:
Set up XSS protection:
3.2.3. Test POST request
If you use request.getParameter("xss")); and other native methods of ServletRequest, they cannot be intercepted by MICA. You need to add the filter in the following article. It is useful for pro-testing. The principle is to rewrite some native methods. Add filtering .
SpringBoot integrates Hutool to prevent XSS attacks - wcybaonier's blog - CSDN blog
4. Analysis of the principle of MICA-XSS
illustrate:
- As shown above, by adding XssFilter to intercept the URL parameters submitted by the user, and perform relevant escaping and blacklist exclusion, so as to complete the relevant business logic.
- In the whole process of mica-xss protecting against XSS attacks, the core part is to wrap the user's original request and create a new requestwrapper (request wrapper) to ensure that the request stream can be read repeatedly in the subsequent process.
4.1. MICA-XSS source code
Link:https://gitee.com/596392912/mica/tree/master/mica-xss