Struts2修复xss攻击
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Struts2修复xss攻击相关的知识,希望对你有一定的参考价值。
概述
struts版本:2.3.4.1
tomcat版本:6
第一种修复方法
参考文章:https://yq.aliyun.com/articles/7126 (不过安全按照该方法无法修复,只能参考思路)
-
重写StrutsPrepareAndExecuteFilter,注册自定义Dispatcher
public class MStrutsPrepareAndExecuteFilter extends StrutsPrepareAndExecuteFilter { @Override public void init(FilterConfig filterConfig) throws ServletException { InitOperations init = new InitOperations(); try { FilterHostConfig config = new FilterHostConfig(filterConfig); init.initLogging(config); Dispatcher dispatcher = initDispatcher(config); init.initStaticContentLoader(config, dispatcher); prepare = new PrepareOperations(filterConfig.getServletContext(), dispatcher); execute = new ExecuteOperations(filterConfig.getServletContext(), dispatcher); this.excludedPatterns = init.buildExcludedPatternsList(dispatcher); postInit(dispatcher, filterConfig); } finally { init.cleanup(); } } /** * Creates and initializes the dispatcher */ public Dispatcher initDispatcher( HostConfig filterConfig ) { Dispatcher dispatcher = createDispatcher(filterConfig); dispatcher.init(); return dispatcher; } /** * Create a {@link Dispatcher} */ private Dispatcher createDispatcher(HostConfig filterConfig) { Map<String, String> params = new HashMap<String, String>(); for (Iterator e = filterConfig.getInitParameterNames(); e.hasNext();) { String name = (String) e.next(); String value = filterConfig.getInitParameter(name); params.put(name, value); } return new MDispatcher(filterConfig.getServletContext(), params); } - 写自定义Dispatcher,继承Dispatcher,重写createContextMap方法,将 Map params = new HashMap(request.getParameterMap());改行修改为 Map params = new HashMap(new ParamFormatWarp(request).getParameterMap());
-
ParamFormatWarp类参考如下
public class ParamFormatWarp extends HttpServletRequestWrapper { public ParamFormatWarp(HttpServletRequest request) { super(request); } private String clearXss(String value) { if (value == null || "".equals(value)) { return value; } value = stripXSSAndSql(value); return value; } /** * * 防止xss跨脚本攻击(替换,根据实际情况调整) */ public String stripXSSAndSql(String value) { if (value != null) { Pattern scriptPattern = Pattern.compile("<[\r\n| | ]*script[\r\n| | ]*>(.*?)</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); } return value; } @Override public Map getParameterMap() { HashMap paramMap = (HashMap) super.getParameterMap(); paramMap = (HashMap) paramMap.clone(); for (Iterator iterator = paramMap.entrySet().iterator(); iterator.hasNext(); ) { Map.Entry entry = (Map.Entry ) iterator.next(); String [] values =(String[])entry.getValue(); for (int i = 0; i < values.length; i++) { if(values[i] instanceof String){ values[i] = clearXss(values[i]); } } entry.setValue(values); } return paramMap; } }上面这种修改方法有可能在其他应用服务器下有问题,如http://zydky.iteye.com/blog/558973 ,我未测试,如有问题可按照如下方式过滤getParameterMap获取的map http://blog.csdn.net/aeroleo/article/details/52204789
第二种方法
参照:http://blog.csdn.net/huplion/article/details/49001151 和
http://blog.csdn.net/huplion/article/details/49000309 一定要两个链接一起看,否则不起作用,另外有一处代码记得按照如下修改:
Map<String, Object> map = inaction.getParameters();
for (Map.Entry<String, Object> entry : map.entrySet()) {
String[] values = ((String[]) (entry.getValue()));
for (int i = 0; i < values.length; i++) {
values[i]=XssUtil.clearXss(values[i]);
}
entry.setValue(values);
}为什么存在values[[],有可能请求的链接是url?t=1&t=2&t=3
以上是关于Struts2修复xss攻击的主要内容,如果未能解决你的问题,请参考以下文章