背景
前阵子做了几个我的项目,终于开发结束,进入了测试阶段,信念满满将我的项目部署到测试环境,而后做了平安测评之后 …..
(什么!你居然说我代码不平安???)
而后测出了 Xss 破绽 平安的问题
解决方案
场景:能够在页面输入框输出 JS 脚本,攻击者能够利用此破绽执行歹意的代码!
问题演示
所以咱们要对于前端传输的参数做解决,做对立全局过滤解决
既然要过滤解决,咱们首先须要实现一个自定义过滤器
总共蕴含以下四局部
XssUtil
XssFilterAutoConfig
XssHttpServletRequestWrapper
XssStringfJsonDeserializer
最初咱们须要在全局过滤器中应用咱们实现的 Xss 自定义过滤器
代码实现
- XssFilterAtuoConfig 实现代码
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.module.SimpleModule;
import net.greatsoft.overallbudget.filter.SimpleCORSFilter;
import org.springframework.boot.context.embedded.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
/**
* Created by wjy on 2020/11/5.
* xss 主动配置类
*/
@Configuration
public class XssFilterAtuoConfig {
/**
* 注册自定义过滤器
* @return
*/
@Bean
public FilterRegistrationBean xssFiltrRegister() {FilterRegistrationBean registration = new FilterRegistrationBean();
// 设置零碎过滤器 (setFilter 就是你所定义的过滤器 filter 类)
registration.setFilter(new SimpleCORSFilter());
// 过滤所有门路
registration.addUrlPatterns("/*");
// 过滤器名称
registration.setName("XssFilter");
// 优先级
registration.setOrder(1);
return registration;
}
/**
* 过滤 JSON 数据
* @return
*/
@Bean
@Primary
public MappingJackson2HttpMessageConverter mappingJackson2HttpMessageConverter() {SimpleModule module = new SimpleModule();
// 自定义序列化过滤配置(XssStringJsonDeserializer), 对入参进行转译
module.addDeserializer(String.class, new XssStringJsonDeserializer());
// 注册解析器
ObjectMapper objectMapper = Jackson2ObjectMapperBuilder.json().build();
objectMapper.registerModule(module);
return new MappingJackson2HttpMessageConverter(objectMapper);
}
}
- XssHttpServletRequestWrapper 实现代码
/**
* Created by wjy on 2020/11/5.
* xss 包装
*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {public XssHttpServletRequestWrapper(HttpServletRequest request) {super(request);
}
/**
* 对 header 解决
* @param name
* @return
*/
@Override
public String getHeader(String name) {String value = super.getHeader(name);
return XssUtil.cleanXSS(value);
}
/**
* 对参数解决
* @param name
* @return
*/
@Override
public String getParameter(String name) {String value = super.getParameter(name);
return XssUtil.cleanXSS(value);
}
/**
* 对数值进行解决
* @param name
* @return
*/
@Override
public String[] getParameterValues(String name) {String[] values = super.getParameterValues(name);
if (values != null) {
int length = values.length;
String[] escapseValues = new String[length];
for (int i = 0; i < length; i++) {escapseValues[i] = XssUtil.cleanXSS(values[i]);
}
return escapseValues;
}
return super.getParameterValues(name);
}
/**
* 次要是针对 HandlerMapping.URI_TEMPLATE_VARIABLES_ATTRIBUTE 获取 pathvalue 的时候把原来的 pathvalue 通过 xss 过滤掉
*/
@Override
public Object getAttribute(String name) {
// 获取 pathvalue 的值
if (HandlerMapping.URI_TEMPLATE_VARIABLES_ATTRIBUTE.equals(name)) {Map uriTemplateVars = (Map) super.getAttribute(HandlerMapping.URI_TEMPLATE_VARIABLES_ATTRIBUTE);
if (Objects.isNull(uriTemplateVars)) {return uriTemplateVars;}
Map newMap = new LinkedHashMap<>();
uriTemplateVars.forEach((key, value) -> {if (value instanceof String) {newMap.put(key, XssUtil.cleanXSS((String) value));
} else {newMap.put(key, value);
}
});
return newMap;
} else {return super.getAttribute(name);
}
}
}
- XssStringJsonDeserializer 代码实现
/**
* Created by wjy on 2020/11/5.
* 基于 xss 的 JsonDeserializer
*/
public class XssStringJsonDeserializer extends JsonDeserializer<String> {
@Override
public Class<String> handledType() {return String.class;}
@Override
public String deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException {return XssUtil.cleanXSS(jsonParser.getValueAsString());
}
}
- XssUtil 代码实现
/**
* Created by wjy on 2020/11/5.
* xss 工具类
*/
public class XssUtil {public static String cleanXSS(String value) {if (Objects.isNull(value)) {return value;}
// 在这里自定义须要过滤的字符
value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
value = value.replaceAll("(", "& #40;").replaceAll(")", "& #41;");
value = value.replaceAll("'","& #39;");
value = value.replaceAll("eval((.*))", "");
value = value.replaceAll("["'][s]*javascript:(.*)["']", """");
value = value.replaceAll("<script>", "");
return value;
}
}
全局过滤器实现
@Component
public class SimpleCORSFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
// 在这里,应用咱们实现的 XSS 过滤器
XssHttpServletRequestWrapper request =
new XssHttpServletRequestWrapper((HttpServletRequest) req);
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods",
"POST, GET, PUT, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers",
"Origin, X-Requested-With, Content-Type, Accept, token");
chain.doFilter(request, response);
}
public void init(FilterConfig filterConfig) { }
public void destroy() {}
}
好了,以上就是对 Xss 破绽的解决
看完如果对你有帮忙,看到右下角的“一键三连”了吗,没错点它[哈哈]