跨站点请求伪造 跨站点脚本编制 通过框架钓鱼漏洞
2014-11-13 17:20
507 查看
1、跨站点请求伪造 跨站点脚本编制 通过框架钓鱼漏洞
主要是通过在url或参数中添加脚本如:
1、URL中添加<script>alert(1)</script>
2、参数value=<a href="http://demo.com"></a>。
添加一个过滤器对特殊字符进行拦截
[java] view
plaincopy
package com.xxx.sys.filter;
import java.io.IOException;
import java.util.Enumeration;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
/**
* 非法字符过滤器
* 1.所有非法字符配置在web.xml中,如需添加新字符,请自行配置
* 2.请注意请求与相应时的编码格式设置,否则遇到中文时,会出现乱码(GBK与其子集应该没问题)
* @author lee
*
*/
public class CharFilter implements Filter {
private Logger log = Logger.getLogger(CharFilter.class);
private String encoding;
private String[] legalNames;
private String[] illegalChars;
public void init(FilterConfig filterConfig) throws ServletException {
encoding = filterConfig.getInitParameter("encoding");
legalNames = filterConfig.getInitParameter("legalNames").split(",");
illegalChars = filterConfig.getInitParameter("illegalChars").split(",");
}
public void destroy() {
encoding = null;
legalNames = null;
illegalChars = null;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse) response;
//必须手动指定编码格式
req.setCharacterEncoding(encoding);
String tempURL = req.getRequestURI();
log.info(tempURL);
Enumeration params = req.getParameterNames();
//是否执行过滤 true:执行过滤 false:不执行过滤
boolean executable = true;
//非法状态 true:非法 false;不非法
boolean illegalStatus = false;
String illegalChar = "";
//对参数名与参数进行判断
w:while(params.hasMoreElements()){
String paramName = (String) params.nextElement();
executable = true;
//密码不过滤
if(paramName.toLowerCase().contains("password")){
executable = false;
}else{
//检查提交参数的名字,是否合法,即不过滤其提交的值
f:for(int i=0;i<legalNames.length;i++){
if(legalNames[i].equals(paramName)){
executable = false;
break f;
}
}
}
if(executable){
String[] paramValues = req.getParameterValues(paramName);
f1:for(int i=0;i<paramValues.length;i++){
String paramValue = paramValues[i];
f2:for(int j=0;j<illegalChars.length;j++){
illegalChar = illegalChars[j];
if(paramValue.indexOf(illegalChar) != -1){
illegalStatus = true;//非法状态
break f2;
}
}
if(illegalStatus){
break f1;
}
}
}
if(illegalStatus){
break w;
}
}
//对URL进行判断
for(int j=0;j<illegalChars.length;j++){
illegalChar = illegalChars[j];
if(tempURL.indexOf(illegalChar) != -1){
illegalStatus = true;//非法状态
break;
}
}
if(illegalStatus){
//必须手动指定编码格式
res.setContentType("text/html;charset="+encoding);
res.setCharacterEncoding(encoding);
res.getWriter().print("<script>window.alert('当前链接中存在非法字符');window.history.go(-1);</script>");
}else{
filterChain.doFilter(request, response);
}
}
}
web.xml code
[html] view
plaincopy
<filter>
<filter-name>charFilter</filter-name>
<filter-class>com.xxx.sys.filter.CharFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>legalNames</param-name>
<param-value>content1,ver,historyURL,listURL</param-value>
</init-param>
<init-param>
<param-name>illegalChars</param-name>
<param-value>|,$,@,',",\',\",<,>,(,),+,CR,LF,\",",\,http</param-value>
</init-param>
</filter>
主要是通过在url或参数中添加脚本如:
1、URL中添加<script>alert(1)</script>
2、参数value=<a href="http://demo.com"></a>。
添加一个过滤器对特殊字符进行拦截
[java] view
plaincopy
package com.xxx.sys.filter;
import java.io.IOException;
import java.util.Enumeration;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
/**
* 非法字符过滤器
* 1.所有非法字符配置在web.xml中,如需添加新字符,请自行配置
* 2.请注意请求与相应时的编码格式设置,否则遇到中文时,会出现乱码(GBK与其子集应该没问题)
* @author lee
*
*/
public class CharFilter implements Filter {
private Logger log = Logger.getLogger(CharFilter.class);
private String encoding;
private String[] legalNames;
private String[] illegalChars;
public void init(FilterConfig filterConfig) throws ServletException {
encoding = filterConfig.getInitParameter("encoding");
legalNames = filterConfig.getInitParameter("legalNames").split(",");
illegalChars = filterConfig.getInitParameter("illegalChars").split(",");
}
public void destroy() {
encoding = null;
legalNames = null;
illegalChars = null;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse) response;
//必须手动指定编码格式
req.setCharacterEncoding(encoding);
String tempURL = req.getRequestURI();
log.info(tempURL);
Enumeration params = req.getParameterNames();
//是否执行过滤 true:执行过滤 false:不执行过滤
boolean executable = true;
//非法状态 true:非法 false;不非法
boolean illegalStatus = false;
String illegalChar = "";
//对参数名与参数进行判断
w:while(params.hasMoreElements()){
String paramName = (String) params.nextElement();
executable = true;
//密码不过滤
if(paramName.toLowerCase().contains("password")){
executable = false;
}else{
//检查提交参数的名字,是否合法,即不过滤其提交的值
f:for(int i=0;i<legalNames.length;i++){
if(legalNames[i].equals(paramName)){
executable = false;
break f;
}
}
}
if(executable){
String[] paramValues = req.getParameterValues(paramName);
f1:for(int i=0;i<paramValues.length;i++){
String paramValue = paramValues[i];
f2:for(int j=0;j<illegalChars.length;j++){
illegalChar = illegalChars[j];
if(paramValue.indexOf(illegalChar) != -1){
illegalStatus = true;//非法状态
break f2;
}
}
if(illegalStatus){
break f1;
}
}
}
if(illegalStatus){
break w;
}
}
//对URL进行判断
for(int j=0;j<illegalChars.length;j++){
illegalChar = illegalChars[j];
if(tempURL.indexOf(illegalChar) != -1){
illegalStatus = true;//非法状态
break;
}
}
if(illegalStatus){
//必须手动指定编码格式
res.setContentType("text/html;charset="+encoding);
res.setCharacterEncoding(encoding);
res.getWriter().print("<script>window.alert('当前链接中存在非法字符');window.history.go(-1);</script>");
}else{
filterChain.doFilter(request, response);
}
}
}
web.xml code
[html] view
plaincopy
<filter>
<filter-name>charFilter</filter-name>
<filter-class>com.xxx.sys.filter.CharFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>legalNames</param-name>
<param-value>content1,ver,historyURL,listURL</param-value>
</init-param>
<init-param>
<param-name>illegalChars</param-name>
<param-value>|,$,@,',",\',\",<,>,(,),+,CR,LF,\",",\,http</param-value>
</init-param>
</filter>
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 跨站点请求伪造 跨站点脚本编制 通过框架钓鱼漏洞
- WordPress HMS Testimonials 多个跨站脚本漏洞和跨站请求伪造漏洞
- 解决跨站脚本注入,跨站伪造用户请求,sql注入等http安全漏洞
- 解决跨站脚本注入,跨站伪造用户请求,sql注入等http安全漏洞
- WordPress CMS Tree Page View插件跨站脚本请求伪造漏洞
- WordPress Content Slide插件跨站请求伪造漏洞
- 跨站脚本编制漏洞
- 深入解析跨站请求伪造漏洞:原理剖析(1)
- WordPress Easy AdSense Lite插件跨站请求伪造漏洞
- WordPress Shareaholic 插件跨站请求伪造漏洞
- WordPress Digg Digg插件跨站请求伪造漏洞
- WordPress Poll插件跨站请求伪造漏洞
- WordPress Simple Paypal Shopping Cart插件跨站请求伪造漏洞
- WordPress Citizen Space插件跨站请求伪造漏洞
- WordPress qTranslate插件跨站请求伪造漏洞
- WordPress Mail On Update插件跨站请求伪造漏洞
- WordPress GA Universal插件跨站请求伪造漏洞
- WordPress WP-Print插件跨站请求伪造漏洞
- WordPress All in One Webmaster插件跨站请求伪造漏洞
- WordPress post-views插件跨站请求伪造漏洞