XSS又叫CSS (CrossSite Script) ,跨站脚本攻击。它指的是恶意攻击者往Web页面里插入恶意html代码,当用户浏览该页之时,嵌入其中Web里面的html代码会被执行,从而达到恶意攻击用户的特殊目的。XSS属于被动式的攻击,因为其被动且不好利用,所以许多人常呼略其危害性.
我们这里只是一个简单的例子,不全,我们在springmvc中做一个小的demo,
1.web.xml配置过滤器
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
<!-- XSS过滤器 -->
<
filter
>
<
filter-name
>XSSFilter</
filter-name
>
<
filter-class
>
com.hanchao.filter.XssCheckFilter
</
filter-class
>
<
init-param
>
<
param-name
>errorPath</
param-name
>
<
param-value
>/views/error.jsp</
param-value
>
</
init-param
>
<
init-param
>
<
param-name
>excludePaths</
param-name
>
<
param-value
>/login</
param-value
>
</
init-param
>
</
filter
>
<
filter-mapping
>
<
filter-name
>XSSFilter</
filter-name
>
<
url-pattern
>/*</
url-pattern
>
</
filter-mapping
>
|
2.过滤器代码:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
package
com.kongzhong.passport.filter;
import
java.io.IOException;
import
java.util.Enumeration;
import
javax.servlet.Filter;
import
javax.servlet.FilterChain;
import
javax.servlet.FilterConfig;
import
javax.servlet.ServletException;
import
javax.servlet.ServletRequest;
import
javax.servlet.ServletResponse;
import
javax.servlet.http.HttpServletRequest;
import
javax.servlet.http.HttpServletResponse;
import
com.kongzhong.base.util.KzStringUtil;
public
class
XSSCheckFilter
implements
Filter {
private
FilterConfig config;
private
static
String errorPath;
//出错跳转的目的地
private
static
String[] excludePaths;
//不进行拦截的url
private
static
String[] safeless = {
"<script"
,
//需要拦截的JS字符关键字
"</script"
,
"<iframe"
,
"</iframe"
,
"<frame"
,
"</frame"
,
"set-cookie"
,
"%3cscript"
,
"%3c/script"
,
"%3ciframe"
,
"%3c/iframe"
,
"%3cframe"
,
"%3c/frame"
,
"src=\"javascript:"
,
"<body"
,
"</body"
,
"%3cbody"
,
"%3c/body"
,
//"<",
//">",
//"</",
//"/>",
//"%3c",
//"%3e",
//"%3c/",
//"/%3e"
};
public
void
doFilter(ServletRequest req, ServletResponse resp,
FilterChain filterChain)
throws
IOException, ServletException {
Enumeration params = req.getParameterNames();
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) resp;
//String basePath = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + "/";
boolean
isSafe =
true
;
String requestUrl = request.getRequestURI();
//String queryUrl = request.getQueryString();
//System.out.println("params:" + params + " , requestUrl:" + requestUrl + " , queryUrl" + queryUrl);
if
(isSafe(requestUrl)) {
requestUrl = requestUrl.substring(requestUrl.indexOf(
"/"
));
if
(!excludeUrl(requestUrl)) {
while
(params.hasMoreElements()) {
String cache = req.getParameter((String) params.nextElement());
if
(KzStringUtil.isNotBlank(cache)) {
if
(!isSafe(cache)) {
isSafe =
false
;
break
;
}
}
}
}
}
else
{
isSafe =
false
;
}
if
(!isSafe) {
request.setAttribute(
"err"
,
"您输入的参数有非法字符,请输入正确的参数!"
);
request.getRequestDispatcher(errorPath).forward(request, response);
return
;
}
filterChain.doFilter(req, resp);
}
private
static
boolean
isSafe(String str) {
if
(KzStringUtil.isNotBlank(str)) {
for
(String s : safeless) {
if
(str.toLowerCase().contains(s)) {
return
false
;
}
}
}
return
true
;
}
private
boolean
excludeUrl(String url) {
if
(excludePaths !=
null
&& excludePaths.length >
0
) {
for
(String path : excludePaths) {
if
(url.toLowerCase().equals(path)) {
return
true
;
}
}
}
return
false
;
}
public
void
destroy() {
}
public
void
init(FilterConfig config)
throws
ServletException {
this
.config = config;
errorPath = config.getInitParameter(
"errorPath"
);
String excludePath = config.getInitParameter(
"excludePaths"
);
if
(KzStringUtil.isNotBlank(excludePath)) {
excludePaths = excludePath.split(
","
);
}
}
}
|
https://github.com/finn-no/xss-html-filter
本文转自韩立伟 51CTO博客,原文链接:http://blog.51cto.com/hanchaohan/1232119,如需转载请自行联系原作者
