Java防止xss攻击
2016-03-29 13:02
603 查看
首先说一下思路,防止这种类似于注入攻击,就是使用拦截器(Filter)处理特殊字符或过滤特殊字符
今天介绍一个方法,利用覆盖Servlet的getParameter方法达到处理特殊字符的目的来解决(防止)Xss攻击
web.xml
Filter类(XssFilter. Java )
最关键的类(XssHttpServletRequestWrapper.java)
继承servlet的HttpServletRequestWrapper,并重写相应的几个有可能带xss攻击的方法
依赖jar包百度网盘下载xssProtect-0.1.jarantlr-runtime-3.0.1.jar
转载注明本文地址:http://www.ablanxue.com/shtml/201502/26346_1.shtml
通过重写getParameter()等方法,实现简单的过滤,从而防止Xss攻击
今天介绍一个方法,利用覆盖Servlet的getParameter方法达到处理特殊字符的目的来解决(防止)Xss攻击
web.xml
<filter> <filter-name>XssEscape</filter-name> <filter-class>www.ablanxue.com.filter.XssFilter</filter-class> </filter> <filter-mapping> <filter-name>XssEscape</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
Filter类(XssFilter. Java )
package www.ablanxue.com.filter; import java.io.IOException; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; public class XssFilter implements javax.servlet.Filter { @Override public void destroy() { // TODO Auto-generated method stub } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request); filterChain.doFilter(xssRequest, response); } @Override public void init(FilterConfig arg0) throws ServletException { // TODO Auto-generated method stub } }
最关键的类(XssHttpServletRequestWrapper.java)
继承servlet的HttpServletRequestWrapper,并重写相应的几个有可能带xss攻击的方法
package www.ablanxue.com.filter; import java.io.StringReader; import java.io.StringWriter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import com.blogspot.radialmind.html.HTMLParser; import com.blogspot.radialmind.xss.XSSFilter; public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { HttpServletRequest orgRequest = null; public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); orgRequest = request; } /** * 覆盖getParameter方法,将参数名和参数值都做xss过滤。 * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取 * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖 */ @Override public String getParameter(String name) { String value = super.getParameter(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 覆盖getHeader方法,将参数名和参数值都做xss过滤。 * 如果需要获得原始的值,则通过super.getHeaders(name)来获取 * getHeaderNames 也可能需要覆盖 */ @Override public String getHeader(String name) { String value = super.getHeader(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 将容易引起xss漏洞的半角字符直接替换成全角字符 * * @param s * @return */ private static String xssEncode(String s) { if (s == null || s.isEmpty()) { return s; } StringReader reader = new StringReader(s); StringWriter writer = new StringWriter(); try { HTMLParser.process(reader, writer, new XSSFilter(), true); String result = writer.toString(); System.out.println("xssEncode-------------------------" + s + " = " + result); return result; } catch (NullPointerException e) { return s; } catch (Exception ex) { ex.printStackTrace(); } return null; } /** * 获取最原始的request * * @return */ public HttpServletRequest getOrgRequest() { return orgRequest; } /** * 获取最原始的request的静态方法 * * @return */ public static HttpServletRequest getOrgRequest(HttpServletRequest req) { if (req instanceof XssHttpServletRequestWrapper) { return ((XssHttpServletRequestWrapper) req).getOrgRequest(); } return req; } }
依赖jar包百度网盘下载xssProtect-0.1.jarantlr-runtime-3.0.1.jar
转载注明本文地址:http://www.ablanxue.com/shtml/201502/26346_1.shtml
通过重写getParameter()等方法,实现简单的过滤,从而防止Xss攻击
相关文章推荐
- Search Engine XSS Worm
- xss防御之php利用httponly防xss攻击
- php实现XSS安全过滤的方法
- ThinkPHP2.x防范XSS跨站攻击的方法
- xms/xmx/xss在kette中的调优设置
- XSS攻击解决方案
- Beetl解决XSS问题(AntiSamy)
- XSS***
- XSS中JavaScript加密以及Filter bypass
- XSS(一)
- XSS(二)
- </script><iframe onload=alert(document.cookie)>
- 防御XSS攻击的七条原则
- xss攻击
- 学习PHP精粹,编写高效PHP代码之安全性
- XSS初探
- XSS攻击的过滤
- 通用跨站脚本攻击(UXSS)
- WIFI菠萝 strip-n-inject插件安装与使用
- Web for Pentester XSS Example 01-09