Java实现XSS防御

偏执的太偏执、 2023-10-02 14:13 10阅读 0赞

## XSS概述 ##

跨站脚本攻击(Cross Site Scripting)，缩写为XSS。恶意攻击者往Web页面里插入恶意Script代码，当用户浏览该页之时，嵌入其中Web里面的Script代码会被执行，从而达到恶意攻击用户的目的。

## Servlet的方式 ##

1、继承HttpServletRequestWrapper，实现对请求参数的过滤

/**
     * xss请求适配器
     */
    public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
        
    
        public XssHttpServletRequestWrapper(HttpServletRequest request) {
        
            super(request);
        }
    
        /**
         * 对数组参数进行特殊字符过滤
         */
        @Override
        public String[] getParameterValues(String name) {
        
            String[] values = super.getParameterValues(name);
            if (values == null) {
        
                return null;
            }
            int count = values.length;
            String[] encodedValues = new String[count];
            for (int i = 0; i < count; i++) {
        
                encodedValues[i] = cleanXSS(values[i]);
            }
            return encodedValues;
        }
    
        /**
         * 对参数中特殊字符进行过滤
         */
        @Override
        public String getParameter(String name) {
        
            String value = super.getParameter(name);
            if (value == null) {
        
                return null;
            }
            return cleanXSS(value);
        }
    
        /**
         * 获取attribute,特殊字符过滤
         */
        @Override
        public Object getAttribute(String name) {
        
            Object value = super.getAttribute(name);
            if (value != null && value instanceof String) {
        
                cleanXSS((String) value);
            }
            return value;
        }
    
        /**
         * 对请求头部进行特殊字符过滤
         */
        @Override
        public String getHeader(String name) {
        
            String value = super.getHeader(name);
            if (value == null) {
        
                return null;
            }
            return cleanXSS(value);
        }
    
        /**
         * 转义字符,使用该方法存在一定的弊端
         * 
         * @param value
         * @return
         */
        private String cleanXSS2(String value) {
        
            // 移除特殊标签
            value = value.replaceAll("<", "<").replaceAll(">", ">");
            value = value.replaceAll("\\(", "(").replaceAll("\\)", ")");
            value = value.replaceAll("'", "'");
            value = value.replaceAll("eval\\((.*)\\)", "");
            value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
            value = value.replaceAll("script", "");
            return value;
        }
    
        private String cleanXSS(String value) {
        
            if (value != null) {
        
                //推荐使用ESAPI库来避免脚本攻击,value = ESAPI.encoder().canonicalize(value);
                // 避免空字符串
                value = value.replaceAll(" ", "");
                // 避免script 标签
                Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
                value = scriptPattern.matcher(value).replaceAll("");
                // 避免src形式的表达式
                scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
                        Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
                value = scriptPattern.matcher(value).replaceAll("");
                scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
                        Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
                value = scriptPattern.matcher(value).replaceAll("");
                // 删除单个的 </script> 标签
                scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
                value = scriptPattern.matcher(value).replaceAll("");
                // 删除单个的<script ...> 标签
                scriptPattern = Pattern.compile("<script(.*?)>",
                        Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
                value = scriptPattern.matcher(value).replaceAll("");
                // 避免 eval(...) 形式表达式
                scriptPattern = Pattern.compile("eval\\((.*?)\\)",
                        Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
                value = scriptPattern.matcher(value).replaceAll("");
                // 避免 e-xpression(...) 表达式
                scriptPattern = Pattern.compile("e-xpression\\((.*?)\\)",
                        Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
                value = scriptPattern.matcher(value).replaceAll("");
                // 避免 javascript: 表达式
                scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
                value = scriptPattern.matcher(value).replaceAll("");
                // 避免 vbscript:表达式
                scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
                value = scriptPattern.matcher(value).replaceAll("");
                // 避免 οnlοad= 表达式
                scriptPattern = Pattern.compile("onload(.*?)=",
                        Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
                value = scriptPattern.matcher(value).replaceAll("");
            }
            return value;
        }
    
    }

2、实现Filter，实现XSS过滤器

/**
     * xss过滤器
     */
    public class XssFilter implements Filter {
        
    
        FilterConfig filterConfig = null;
    
        @Override
        public void init(FilterConfig filterConfig) throws ServletException {
        
            this.filterConfig = filterConfig;
        }
    
        @Override
        public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
                throws IOException, ServletException {
        
            //对请求进行拦截,防xss处理
            chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
        }
    
        @Override
        public void destroy() {
        
            this.filterConfig = null;
        }
    }

3、注入XSS过滤器，两种方式  
第一种方式：配置web.xml

<filter>
        <filter-name>XssSqlFilter</filter-name>
        <filter-class>cn.aric.xss.XssFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>XssSqlFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
    </filter-mapping>1234567891011

第二种方式：注解

/**
     * 注入Xss过滤器(注解方式)
     */
    public class WebInitializer implements WebApplicationInitializer{
        
    
        @Override
        public void onStartup(ServletContext servletContext) throws ServletException {
        
            //添加监听器
            servletContext.addListener(RequestContextListener.class);
            //添加过滤器
            Dynamic xssFilterRegistration = servletContext.addFilter("XssFilter", XssFilter.class);
            //添加映射规则
            xssFilterRegistration.addMappingForUrlPatterns(
                    EnumSet.of(DispatcherType.REQUEST,DispatcherType.FORWARD,DispatcherType.INCLUDE), 
                    false, 
                    "/*");
    
        }
    
    }

## Spring整合的方式 ##

1、使用spring的HtmlUtils,可以使用StringEscapeUtils 中的过滤方法

/**
     * 解决XSS跨站脚本攻击和sql注入攻击,使用spring的HtmlUtils,可以使用StringEscapeUtils 中的过滤方法
     */
    public class XssSpringHttpServletRequestWrapper extends HttpServletRequestWrapper{
        
    
        public XssSpringHttpServletRequestWrapper(HttpServletRequest request) {
        
            super(request);
        }
    
        /**
         * 对数组参数进行特殊字符过滤
         */
        @Override
        public String[] getParameterValues(String name) {
        
            String[] values = super.getParameterValues(name);
            String[] newValues = new String[values.length];
            for (int i = 0; i < values.length; i++) {
        
                //spring的HtmlUtils进行转义
                newValues[i] = HtmlUtils.htmlEscape(values[i]);
            }
            return newValues;
        }
    
        /**
         * 拦截参数,并对其进行字符转义
         */
        @Override
        public String getParameter(String name) {
        
            return HtmlUtils.htmlEscape(name);
        }
    
        /**
         * 拦截参数,并对其进行字符转义
         */
        @Override
        public Object getAttribute(String name) {
        
            return HtmlUtils.htmlEscape(name);
        }
    
    }

2、实现XSS过滤器

/**
     * spring方式xss过滤器
     */
    public class XssSpringFilter implements Filter{
        
    
        @Override
        public void init(FilterConfig filterConfig) throws ServletException {
        
    
        }
    
        @Override
        public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
                throws IOException, ServletException {
        
            HttpServletRequest req = (HttpServletRequest) request;
            chain.doFilter(new XssSpringHttpServletRequestWrapper(req), response);
        }
    
        @Override
        public void destroy() {
        
    
        }

3、配置XSS过滤器

<filter>
        <filter-name>xssSpringFilter</filter-name>
        <filter-class>cn.aric.xss.XssSpringHttpServletRequestWrapper</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>xssSpringFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>123456789