我百度搜索了一下,跨站脚本攻击,相关内容超过 500 多万,但是相比 NPE 来说,显然还不够。很多程序员不重视跨站脚本攻击,导致很多开源项目都存在这样的漏洞。
今天我们基于 SpringBoot 来实现一个跨站脚本过滤器,彻底的搞定跨站脚本攻击!
<script>alert('hello,gaga!');</script>>"'><img src="javascript.:alert('XSS')">>"'><script>alert('XSS')</script><table background='javascript.:alert(([code])'></table><object type=text/html data='javascript.:alert(([code]);'></object>"+alert('XSS')+"'><script>alert(document.cookie)</script>='><script>alert(document.cookie)</script><script>alert(document.cookie)</script><script>alert(vulnerable)</script><script>alert('XSS')</script><img src="javascript:alert('XSS')">%0a%0a<script>alert(\"Vulnerable\")</script>.jsp%3c/a%3e%3cscript%3ealert(%22xss%22)%3c/script%3e%3c/title%3e%3cscript%3ealert(%22xss%22)%3c/script%3e%3cscript%3ealert(%22xss%22)%3c/script%3e/index.html<script>alert('Vulnerable')</script>a.jsp/<script>alert('Vulnerable')</script>"><script>alert('Vulnerable')</script><IMG SRC="javascript.:alert('XSS');"><IMG src="/javascript.:alert"('XSS')><IMG src="/JaVaScRiPt.:alert"('XSS')><IMG src="/JaVaScRiPt.:alert"("XSS")><IMG SRC="jav	ascript.:alert('XSS');"><IMG SRC="jav
ascript.:alert('XSS');"><IMG SRC="jav
ascript.:alert('XSS');">"<IMG src="/java"\0script.:alert(\"XSS\")>";'>out<IMG SRC=" javascript.:alert('XSS');"><SCRIPT>a=/XSS/alert(a.source)</SCRIPT><BODY BACKGROUND="javascript.:alert('XSS')"><BODY ONLOAD=alert('XSS')><IMG DYNSRC="javascript.:alert('XSS')"><IMG LOWSRC="javascript.:alert('XSS')"><BGSOUND SRC="javascript.:alert('XSS');"><br size="&{alert('XSS')}"><LAYER SRC="http://xss.ha.ckers.org/a.js"></layer><LINK REL="stylesheet"HREF="javascript.:alert('XSS');"><IMG SRC='vbscript.:msgbox("XSS")'><META. HTTP-EQUIV="refresh"CONTENT="0;url=javascript.:alert('XSS');"><IFRAME. src="/javascript.:alert"('XSS')></IFRAME><FRAMESET><FRAME. src="/javascript.:alert"('XSS')></FRAME></FRAMESET><TABLE BACKGROUND="javascript.:alert('XSS')"><DIV STYLE="background-image: url(javascript.:alert('XSS'))"><DIV STYLE="behaviour: url('http://www.how-to-hack.org/exploit.html');"><DIV STYLE="width: expression(alert('XSS'));"><STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE><IMG STYLE='xss:expre\ssion(alert("XSS"))'><STYLE. TYPE="text/javascript">alert('XSS');</STYLE><STYLE. TYPE="text/css">.XSS{background-image:url("javascript.:alert('XSS')");}</STYLE><A CLASS=XSS></A><STYLE. type="text/css">BODY{background:url("javascript.:alert('XSS')")}</STYLE><BASE HREF="javascript.:alert('XSS');//">getURL("javascript.:alert('XSS')")a="get";b="URL";c=上面的内容就是我们常见跨站攻击脚本,有些安全企业基于此制作了在线的跨站攻击漏洞检测工具。
废话不多说了,我们直接开始动手吧!
先实现一个过滤器。
public class XssFilter implements Filter { @Override public void init(FilterConfig config) throws ServletException {} @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { XssHttpServletRequestWrapper xssHttpServletRequestWrapper = new XssHttpServletRequestWrapper((HttpServletRequest)request); chain.doFilter(xssHttpServletRequestWrapper, response); } @Override public void destroy() {}}再实现一个敏感字符转换类。
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {HttpServletRequest orgRequest = null;private String body;public XssHttpServletRequestWrapper(HttpServletRequest request) {super(request);orgRequest = request;body = HttpGetBody.getBodyString(request);}/*** 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/>* 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/>* getParameterNames,getParameterValues和getParameterMap也可能需要覆盖*/@Overridepublic String getParameter(String name) {String value = super.getParameter(xssEncode(name, 0));if (null != value) {value = xssEncode(value, 0);}return value;}@Overridepublic String[] getParameterValues(String name) {String[] values = super.getParameterValues(xssEncode(name, 0));if (values == null) {return null;}int count = values.length;String[] encodedValues = new String[count];for (int i = 0; i < count; i++) {encodedValues[i] = xssEncode(values[i], 0);}return encodedValues;}@Overridepublic Map getParameterMap() {HashMap paramMap = (HashMap) super.getParameterMap();paramMap = (HashMap) paramMap.clone();for (Iterator iterator = paramMap.entrySet().iterator(); iterator.hasNext(); ) {Map.Entry entry = (Map.Entry) iterator.next();String[] values = (String[]) entry.getValue();for (int i = 0; i < values.length; i++) {if (values[i] instanceof String) {values[i] = xssEncode(values[i], 0);}}entry.setValue(values);}return paramMap;}@Overridepublic ServletInputStream getInputStream() throws IOException {ServletInputStream inputStream = null;if (StringUtil.isNotEmpty(body)) {body = xssEncode(body, 1);inputStream = new TranslateServletInputStream(body);}return inputStream;}/*** 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/>* 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/>* getHeaderNames 也可能需要覆盖*/@Overridepublic String getHeader(String name) {String value = super.getHeader(xssEncode(name, 0));if (value != null) {value = xssEncode(value, 0);}return value;}/*** 将容易引起xss漏洞的半角字符直接替换成全角字符* @param s* @return*/private static String xssEncode(String s, int type) {if (s == null || s.isEmpty()) {return s;}StringBuilder sb = new StringBuilder(s.length() + 16);for (int i = 0; i < s.length(); i++) {char c = s.charAt(i);if (type == 0) {switch (c) {case '\'':// 全角单引号sb.append('‘');break;case '\"':// 全角双引号sb.append('“');break;case '>':// 全角大于号sb.append('>');break;case '<':// 全角小于号sb.append('<');break;case '&':// 全角&符号sb.append('&');break;case '\\':// 全角斜线sb.append('\');break;case '#':// 全角井号sb.append('#');break;// < 字符的 URL 编码形式表示的 ASCII 字符(十六进制格式) 是: %3ccase '%':processUrlEncoder(sb, s, i);break;default:sb.append(c);break;}} else {switch (c) {case '>':// 全角大于号sb.append('>');break;case '<':// 全角小于号sb.append('<');break;case '&':// 全角&符号sb.append('&');break;case '\\':// 全角斜线sb.append('\');break;case '#':// 全角井号sb.append('#');break;// < 字符的 URL 编码形式表示的 ASCII 字符(十六进制格式) 是: %3ccase '%':processUrlEncoder(sb, s, i);break;default:sb.append(c);break;}}}return sb.toString();}public static void processUrlEncoder(StringBuilder sb, String s, int index) {if (s.length() >= index + 2) {// %3c, %3Cif (s.charAt(index + 1) == '3' && (s.charAt(index + 2) == 'c' || s.charAt(index + 2) == 'C')) {sb.append('<');return;}// %3c (0x3c=60)if (s.charAt(index + 1) == '6' && s.charAt(index + 2) == '0') {sb.append('<');return;}// %3e, %3Eif (s.charAt(index + 1) == '3' && (s.charAt(index + 2) == 'e' || s.charAt(index + 2) == 'E')) {sb.append('>');return;}// %3e (0x3e=62)if (s.charAt(index + 1) == '6' && s.charAt(index + 2) == '2') {sb.append('>');return;}}sb.append(s.charAt(index));}/*** 获取最原始的request* @return*/public HttpServletRequest getOrgRequest() {return orgRequest;}/*** 获取最原始的request的静态方法* @return*/public static HttpServletRequest getOrgRequest(HttpServletRequest req) {if (req instanceof XssHttpServletRequestWrapper) {return ((XssHttpServletRequestWrapper) req).getOrgRequest();}return req;}}
接下来我们要使用这两个类。
@Configurationpublic class XSSFilterConfig {@Beanpublic FilterRegistrationBean filterRegistrationBean() {FilterRegistrationBean registration = new FilterRegistrationBean();registration.setFilter(xssFilter());registration.addUrlPatterns("/*");registration.addInitParameter("paramName", "paramValue");registration.setName("xssFilter");return registration;}/*** 创建一个bean* @return*/@Bean(name = "xssFilter")public Filter xssFilter() {return new XssFilter();}}
在博客上发表之后,有人说我的类不完整,所以,下面的两个类是上面用到的两个类,贴在这里。
import java.io.ByteArrayInputStream;import java.io.IOException;import java.io.InputStream;import java.nio.charset.Charset;import javax.servlet.ReadListener;import javax.servlet.ServletInputStream;public class TranslateServletInputStream extends ServletInputStream {private InputStream inputStream;/*** 解析json之后的文本*/private String body;public TranslateServletInputStream(String body) throws IOException {this.body = body;inputStream = null;}@Overridepublic boolean isReady() {return false;}@Overridepublic void setReadListener(ReadListener readListener) {}@Overridepublic boolean isFinished() {return false;}private InputStream acquireInputStream() throws IOException {if (inputStream == null) {inputStream = new ByteArrayInputStream(body.getBytes(Charset.forName("UTF-8")));//通过解析之后传入的文本生成inputStream以便后面controller调用}return inputStream;}@Overridepublic void close() throws IOException {try {if (inputStream != null) {inputStream.close();}} catch (IOException e) {throw e;} finally {inputStream = null;}}@Overridepublic boolean markSupported() {return false;}@Overridepublic synchronized void mark(int i) {throw new UnsupportedOperationException("mark not supported");}@Overridepublic synchronized void reset() throws IOException {throw new IOException(new UnsupportedOperationException("reset not supported"));}@Overridepublic int read() throws IOException {return acquireInputStream().read();}}
HttpGetBody 代码如下所示:
import javax.servlet.ServletRequest;import java.io.BufferedReader;import java.io.IOException;import java.io.InputStream;import java.io.InputStreamReader;import java.nio.charset.Charset;public class HttpGetBody {/*** 获取请求Body* @param request* @return*/public static String getBodyString(ServletRequest request) {StringBuffer sb = new StringBuffer();InputStream inputStream = null;BufferedReader reader = null;try {inputStream = request.getInputStream();reader = new BufferedReader(new InputStreamReader(inputStream, Charset.forName("UTF-8")));String line = "";while ((line = reader.readLine()) != null) {sb.append(line);}} catch (IOException e) {e.printStackTrace();} finally {if (inputStream != null) {try {inputStream.close();} catch (IOException e) {e.printStackTrace();}}if (reader != null) {try {reader.close();} catch (IOException e) {e.printStackTrace();}}}return sb.toString();}}
上面的代码都很简单,原理搞懂了之后,实现起来就非常的顺手。
针对上面的代码,大家可以再进行优化。
除此之外,我还将上面的代码制作成了 starter,其他项目只要引入了我的这个 xttblog-xss-starter,即可实现防御跨站脚本攻击!
五一放假之后,我发现群里有几个网友,学习动力十足!很看好他们!可惜我在带娃,没时间和他们一起唠叨!空闲时间,码出了这篇文章,希望能对大家有所帮助!
最后还是希望大家多多学习!毕竟 00 后都奔 20 了。祝大家五四青年节快乐!
