Solución de vulnerabilidad Xss

Others 2020-04-17 16:03:01 views: null

Configurar XssFilter

1.web.xml

<! - XssFilter 漏洞 解决 方案-> 
    < filter > 
        < filter-name > XssFilter </ filter-name > 
        < filter-class > com.xxx.filter.XssFilter </ filter-class > 
    </ filter > 
    < filter -mapping > 
        < filter-name > XssFilter </ filter-name > 
        < url-pattern > / * </ url-pattern > 
    </ filter-mapping >

 

2.XssFilter :

paquete com.xxx.filter; 

import java.io.IOException; 
 
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; 
 
la  clase pública XssFilter implementa Filter { 

    FilterConfig filterConfig = null ; 

    @Override 
    public  void destroy () {
        esto .filterConfig = nulo ; 
    } 

    @Override 
    public  void doFilter (solicitud de ServletRequest, respuesta de ServletResponse, 
                         cadena FilterChain) arroja IOException, ServletException { 
        chain.doFilter ( nueva XssShellInterceptor ((HttpServletRequest) request), respuesta); 
    } 

    @Override 
    public  void init (FilterConfig filterConfig) lanza ServletException {
         this .filterConfig = filterConfig ; 
    } 
}

 

XssShellInterceptor :

paquete com.xxx.filter; 

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper; 

public  class XssShellInterceptor extiende HttpServletRequestWrapper { 

    public XssShellInterceptor (solicitud HttpServletRequest) {
         super (solicitud); 
    } 

    @Override 
    public String [] getParameterValues ​​(parámetro de cadena) { 
        String [] valores = super .getParameterValues ​​(parámetro);
        if (valores == nulo ) {
             retorno  nulo; 
        } 
        int count = values.length; 
        String [] encodedValues = new String [cuenta];
        for ( int i = 0; i <count; i ++ ) { 
            encodedValues ​​[i] = cleanXSS (valores [i]); 
        } 
        return encodedValues; 
    } 

    @Override 
    public String getParameter (parámetro de cadena) { 
        valor de cadena = super .getParameter (parámetro);
        if (value == null ) {
             return  null ; 
        }
        devuelve cleanXSS (valor); 
    } 

    @Override 
    public String getHeader (String name) { 
        String value = super .getHeader (name);
        if (valor == nulo )
             devuelve  nulo ;
        devuelve cleanXSS (valor); 
    } 

    // 过滤 规则目前 我 只 配 了 过滤 script 
    private String cleanXSS (valor de cadena) { 
        value = value.replaceAll ("'", "" ) 
                .replaceAll ( ";", "" ) 
                .replaceAll ( "<", ""
                .replaceAll ( ">", "" ) 
                .replaceAll ( "javascript", "" ) 
                .replaceAll ( "script", "" ) 
                .replaceAll ( "jscript", "" ) 
                .replaceAll ( "vbscript", "" ) ;
//         value = value.replaceAll ("[\\\" \\\ '] [\\ s] * javascript: (. *) [\\\ "\\\']", "\" \ "") ; 
        valor de retorno ; 
    } 

}

 

Supongo que te gusta

Origin www.cnblogs.com/pluto-yang/p/12720449.html
Recomendado
Clasificación
Diario
Más
2024-05-13(7)
2024-05-12(22)
2024-05-11(31)
2024-05-10(32)
2024-05-09(31)
2024-05-08(18)
2024-05-07(35)
2024-05-06(4)
2024-05-05(0)
2024-05-04(17)

Code World

© 2018 codetd.com