XSS概述

跨站腳本攻擊(Cross Site Scripting)，縮寫為XSS。惡意攻擊者往Web頁面里插入惡意Script代碼，當用戶瀏覽該頁之時，嵌入其中Web里面的Script代碼會被執行，從而達到惡意攻擊用戶的目的。

Servlet的方式

1、繼承HttpServletRequestWrapper，實現對請求參數的過濾

/*** xss請求適配器*/ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {public XssHttpServletRequestWrapper(HttpServletRequest request) {super(request);}/*** 對數組參數進行特殊字符過濾*/@Overridepublic String[] getParameterValues(String name) {String[] values = super.getParameterValues(name);if (values == null) {return null;}int count = values.length;String[] encodedValues = new String[count];for (int i = 0; i < count; i++) {encodedValues[i] = cleanXSS(values[i]);}return encodedValues;}/*** 對參數中特殊字符進行過濾*/@Overridepublic String getParameter(String name) {String value = super.getParameter(name);if (value == null) {return null;}return cleanXSS(value);}/*** 獲取attribute,特殊字符過濾*/@Overridepublic Object getAttribute(String name) {Object value = super.getAttribute(name);if (value != null && value instanceof String) {cleanXSS((String) value);}return value;}/*** 對請求頭部進行特殊字符過濾*/@Overridepublic String getHeader(String name) {String value = super.getHeader(name);if (value == null) {return null;}return cleanXSS(value);}/*** 轉義字符,使用該方法存在一定的弊端* * @param value* @return*/private String cleanXSS2(String value) {// 移除特殊標簽value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");value = value.replaceAll("\\(", "&#40;").replaceAll("\\)", "&#41;");value = value.replaceAll("'", "&#39;");value = value.replaceAll("eval\\((.*)\\)", "");value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");value = value.replaceAll("script", "");return value;}private String cleanXSS(String value) {if (value != null) {//推薦使用ESAPI庫來避免腳本攻擊,value = ESAPI.encoder().canonicalize(value);// 避免空字符串value = value.replaceAll(" ", "");// 避免script 標簽Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);value = scriptPattern.matcher(value).replaceAll("");// 避免src形式的表達式scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");// 刪除單個的 </script> 標簽scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);value = scriptPattern.matcher(value).replaceAll("");// 刪除單個的<script ...> 標簽scriptPattern = Pattern.compile("<script(.*?)>",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");// 避免 eval(...) 形式表達式scriptPattern = Pattern.compile("eval\\((.*?)\\)",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");// 避免 e-xpression(...) 表達式scriptPattern = Pattern.compile("e-xpression\\((.*?)\\)",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");// 避免 javascript: 表達式scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);value = scriptPattern.matcher(value).replaceAll("");// 避免 vbscript:表達式scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);value = scriptPattern.matcher(value).replaceAll("");// 避免 οnlοad= 表達式scriptPattern = Pattern.compile("onload(.*?)=",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");}return value;}}

2、實現Filter，實現XSS過濾器

/*** xss過濾器*/ public class XssFilter implements Filter {FilterConfig filterConfig = null;@Overridepublic void init(FilterConfig filterConfig) throws ServletException {this.filterConfig = filterConfig;}@Overridepublic void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)throws IOException, ServletException {//對請求進行攔截,防xss處理chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);}@Overridepublic void destroy() {this.filterConfig = null;} }

3、注入XSS過濾器，兩種方式
第一種方式：配置web.xml

<!-- xss過濾器 --> <filter><filter-name>XssSqlFilter</filter-name><filter-class>cn.aric.xss.XssFilter</filter-class> </filter> <filter-mapping><filter-name>XssSqlFilter</filter-name><url-pattern>/*</url-pattern><dispatcher>REQUEST</dispatcher><dispatcher>FORWARD</dispatcher> </filter-mapping>1234567891011

第二種方式：注解

/*** 注入Xss過濾器(注解方式)*/ public class WebInitializer implements WebApplicationInitializer{@Overridepublic void onStartup(ServletContext servletContext) throws ServletException {//添加監聽器servletContext.addListener(RequestContextListener.class);//添加過濾器Dynamic xssFilterRegistration = servletContext.addFilter("XssFilter", XssFilter.class);//添加映射規則xssFilterRegistration.addMappingForUrlPatterns(EnumSet.of(DispatcherType.REQUEST,DispatcherType.FORWARD,DispatcherType.INCLUDE), false, "/*");}}

Spring整合的方式

1、使用spring的HtmlUtils,可以使用StringEscapeUtils 中的過濾方法

/*** 解決XSS跨站腳本攻擊和sql注入攻擊,使用spring的HtmlUtils,可以使用StringEscapeUtils 中的過濾方法*/ public class XssSpringHttpServletRequestWrapper extends HttpServletRequestWrapper{public XssSpringHttpServletRequestWrapper(HttpServletRequest request) {super(request);}/*** 對數組參數進行特殊字符過濾*/@Overridepublic String[] getParameterValues(String name) {String[] values = super.getParameterValues(name);String[] newValues = new String[values.length];for (int i = 0; i < values.length; i++) {//spring的HtmlUtils進行轉義newValues[i] = HtmlUtils.htmlEscape(values[i]);}return newValues;}/*** 攔截參數,并對其進行字符轉義*/@Overridepublic String getParameter(String name) {return HtmlUtils.htmlEscape(name);}/*** 攔截參數,并對其進行字符轉義*/@Overridepublic Object getAttribute(String name) {return HtmlUtils.htmlEscape(name);}}

2、實現XSS過濾器

/*** spring方式xss過濾器*/ public class XssSpringFilter implements Filter{@Overridepublic void init(FilterConfig filterConfig) throws ServletException {}@Overridepublic void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)throws IOException, ServletException {HttpServletRequest req = (HttpServletRequest) request;chain.doFilter(new XssSpringHttpServletRequestWrapper(req), response);}@Overridepublic void destroy() {}

3、配置XSS過濾器

<!-- spring方式的xss過濾器 --> <filter><filter-name>xssSpringFilter</filter-name><filter-class>cn.aric.xss.XssSpringHttpServletRequestWrapper</filter-class> </filter> <filter-mapping><filter-name>xssSpringFilter</filter-name><url-pattern>/*</url-pattern> </filter-mapping>123456789

總結

以上是生活随笔為你收集整理的Java实现XSS防御的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。