XSS 跨域脚本攻击解决方案
2017-10-26 15:12
225 查看
编写拦截类
在web.xml中配置拦截
package com.jst.sys.filter; import java.io.IOException; import java.util.Enumeration; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.log4j.Logger; /** * 非法字符过滤器 * 1.所有非法字符配置在web.xml中,如需添加新字符,请自行配置 * 2.请注意请求与相应时的编码格式设置,否则遇到中文时,会出现乱码(GBK与其子集应该没问题) * @author lee * */ public class CharFilter implements Filter { private Logger log = Logger.getLogger(CharFilter.class); private String encoding; private String[] legalNames; private String[] illegalChars; public void init(FilterConfig filterConfig) throws ServletException { encoding = filterConfig.getInitParameter("encoding"); legalNames = filterConfig.getInitParameter("legalNames").split(","); illegalChars = filterConfig.getInitParameter("illegalChars").split(","); } public void destroy() { encoding = null; legalNames = null; illegalChars = null; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest)request; HttpServletResponse res = (HttpServletResponse) response; //必须手动指定编码格式 req.setCharacterEncoding(encoding); String tempURL = req.getRequestURI(); log.info(tempURL); Enumeration params = req.getParameterNames(); //是否执行过滤 true:执行过滤 false:不执行过滤 boolean executable = true; //非法状态 true:非法 false;不非法 boolean illegalStatus = false; String illegalChar = ""; //对参数名与参数进行判断 w:while(params.hasMoreElements()){ String paramName = (String) params.nextElement(); executable = true; //密码不过滤 if(paramName.toLowerCase().contains("password")){ executable = false; }else{ //检查提交参数的名字,是否合法,即不过滤其提交的值 f:for(int i=0;i<legalNames.length;i++){ if(legalNames[i].equals(paramName)){ executable = false; break f; } } } if(executable){ String[] paramValues = req.getParameterValues(paramName); f1:for(int i=0;i<paramValues.length;i++){ String paramValue = paramValues[i]; f2:for(int j=0;j<illegalChars.length;j++){ illegalChar = illegalChars[j]; if(paramValue.indexOf(illegalChar) != -1){ illegalStatus = true;//非法状态 break f2; } } if(illegalStatus){ break f1; } } } if(illegalStatus){ break w; } } //对URL进行判断 for(int j=0;j<illegalChars.length;j++){ illegalChar = illegalChars[j]; if(tempURL.indexOf(illegalChar) != -1){ illegalStatus = true;//非法状态 break; } } if(illegalStatus){ //必须手动指定编码格式 res.setContentType("text/html;charset="+encoding); res.setCharacterEncoding(encoding); res.getWriter().print("<script>window.alert('当前链接中存在非法字符');window.history.go(-1);</script>"); }else{ filterChain.doFilter(request, response); } } }
在web.xml中配置拦截
<!--XSS拦截 web.xml配置--> <filter> <filter-name>charFilter</filter-name> <filter-class>com.jst.sys.filter.CharFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>legalNames</param-name> <param-value>content1,ver</param-value> </init-param> <init-param> <param-name>illegalChars</param-name> <param-value>|,$,@,',",\',\",<,>,(,),+,CR,LF,\",",\</param-value> </init-param> </filter> <filter-mapping> <filter-name>charFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
相关文章推荐
- js跨域脚本攻击java解决方案
- XSS跨域攻击和SQL注入解决方案
- XSS跨站点脚本攻击解决方案
- Cookies 的跨域脚本攻击 - Github 迁移域名的安全详解
- XSS跨脚本攻击原理
- 怎样过滤跨站恶意脚本攻击(XSS)
- asp.net防止XSS(脚本)攻击
- c:out标签和el表达式与跨域攻击XSS
- 强化网站安全性:避免跨网站脚本攻击(XSS)
- 跨网站脚本攻击(XSS)的原理与防范对策
- 深入解析跨站点脚本攻击XSS
- XSS脚本攻击防御(Antisamy)(上)
- 防止 XSS 攻击 解决方案
- WEB安全实战(五)XSS 攻击的另外一种解决方案(推荐)
- ASP.NET Core中的OWASP Top 10 十大风险-跨站点脚本攻击 (XSS)
- XSS 跨站式脚本攻击
- 网站漏洞处理(SQL注入、XSS脚本攻击、防外站提交)以及扩展思路
- 基于jfinal的XssHandler,统一处理xss脚本攻击
- XSS 攻击常用脚本
- 【安全牛学习笔记】手动漏洞挖掘-SQL注入XSS-简介、跨站脚本检测和常见的攻击利用手段