XSS攻击通常指的是通过利用网页开发时留下的漏洞,通过巧妙的方法注入恶意指令代码到网页,使用户加载并执行攻击者恶意制造的网页程序。这些恶意网页程序通常是JavaScript,但实际上也可以包括Java、 VBScript、ActiveX、 Flash 或者甚至是普通的HTML。攻击成功后,攻击者可能得到包括但不限于更高的权限(如执行一些操作)、私密网页内容、会话和cookie等各种内容。
对输入的数据进行转义,使其不会识别为可执行脚本
<script>alert(1234)</script>
<script>alert(1234)</script>
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;/*** 过滤器* @author ber* @version 1.0* @date 21/8/18 19:01*/
public class XSSFilter implements Filter {@Overridepublic void init(FilterConfig filterConfig) throws ServletException {}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {HttpServletRequest request = (HttpServletRequest)servletRequest;filterChain.doFilter(new XSSRequestWrapper(request) , servletResponse);}@Overridepublic void destroy() {}}
import org.springframework.web.util.HtmlUtils;import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;/*** 对传入的恶意指令代码进行编码转换** @author ber* @version 1.0* @date 21/8/18 19:02*/
public class XSSRequestWrapper extends HttpServletRequestWrapper {public XSSRequestWrapper(HttpServletRequest request) {super(request);}@Overridepublic String[] getParameterValues(String name) {//获取所有参数值的集合String[] results = this.getParameterMap().get(name);if (results != null && results.length > 0) {int length = results.length;for (int i = 0; i < length; i++) {//过滤参数值results[i] = HtmlUtils.htmlEscape(results[i]);}return results;}return null;}}
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.stereotype.Component;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;import java.util.HashSet;
import java.util.Map;
import java.util.Set;/*** 获取项目中的所有的url,并注册到过滤器中** @author ber* @version 1.0* @date 21/8/18 19:03*/
@Component
public class FilterUrlMapping {@AutowiredApplicationContext applicationContext;/*** 获取项目中的所有url** @return*/public Set<String> allUrlMappings() {Set<String> result = new HashSet();RequestMappingHandlerMapping rmhp = applicationContext.getBean(RequestMappingHandlerMapping.class);Map<RequestMappingInfo, HandlerMethod> map = rmhp.getHandlerMethods();for (RequestMappingInfo info : map.keySet()) {result.add(info.getPatternsCondition().toString().replace("[", "").replace("]", ""));}return result;}@Beanpublic FilterRegistrationBean filterRegistration() {FilterRegistrationBean filterRegistration = new FilterRegistrationBean();filterRegistration.setFilter(new XSSFilter());//添加过滤器Set<String> allSaveUrlPattern = allUrlMappings();// 若过滤所有,可使用 /* 处理filterRegistration.setUrlPatterns(allSaveUrlPattern);filterRegistration.setName("XSSFilter");return filterRegistration;}}
版权声明:本站所有资料均为网友推荐收集整理而来,仅供学习和研究交流使用。
工作时间:8:00-18:00
客服电话
电子邮件
admin@qq.com
扫码二维码
获取最新动态