filter防止xxs攻击

Posted 2021-02-10 xiufengchen

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了filter防止xxs攻击相关的知识，希望对你有一定的参考价值。

什么是XSS攻击？

XSS攻击使用javascript脚本注入进行攻击

例如在表单中注入: <script>location.href=‘http://www.itmayiedu.com‘</script>

注意:谷歌浏览器已经防止了XSS攻击，为了演示效果，最好使用火狐浏览器

fromToXss.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
    <form action="XssDemo" method="post">
        <input type="text" name="userName"> <input type="submit">
    </form>
</body>
</html>

XssDemo

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet("/XssDemo")
public class XssDemo extends HttpServlet {

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        String userName = req.getParameter("userName");
        req.setAttribute("userName", userName);
        req.getRequestDispatcher("showUserName.jsp").forward(req, resp);
    }
    

}

代码: showUserName.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>

</head>
<body>userName:${userName}

</body>
</html>

解决方案：

使用Fileter过滤器过滤器注入标签

XSSFilter

public class XssFiter implements Filter {

    public void init(FilterConfig filterConfig) throws ServletException {

    }

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(req);
        chain.doFilter(xssRequestWrapper, response);
    }

    public void destroy() {

    }

}

XssAndSqlHttpServletRequestWrapper

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;

/**
 * 防止XSS攻击
 */
public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {
    HttpServletRequest request;
    public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        this.request = request;
    }
    @Override
    public String getParameter(String name) {
        String value = request.getParameter(name);
        System.out.println("name:" + name + "," + value);
        if (!StringUtils.isEmpty(value)) {
            // 转换Html
            value = StringEscapeUtils.escapeHtml4(value);
        }
        return value;
    }
}

以上是关于filter防止xxs攻击的主要内容，如果未能解决你的问题，请参考以下文章

XXS和SQL注入的预防

防XXS和SQL注入

XSS过滤JAVA过滤器filter 防止常见SQL注入

防止 xxs

五品达通用权限系统__pd-tools-xxs(防跨站脚本攻击)