struts2如何防止XSS脚本攻击(XSS防跨站脚本攻击过滤器)

  • 开发
  • 15

只需要配置一个拦截器即可解决参数内容替换

一、配置web.xml

<filter>
		<filter-name>struts-xssFilter</filter-name>
		<filter-class>*.*.filters.XssFilter</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>struts-xssFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

二、编写XssFilter


import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
public class XssFilter implements Filter{

    FilterConfig filterConfig = null;
    /**
     * Default constructor.
     */
    public XssFilter() {
    }

    public void destroy() {
        this.filterConfig = null;
    }

    public void init(FilterConfig fConfig) throws ServletException {
        this.filterConfig = fConfig;
    }

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        String url = req.getRequestURI();
        //过滤不需要拦截的action
        if(url.indexOf("*.action") != -1){
            chain.doFilter(request, response);
        }else{
            chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
        }
    }
}

三、XssHttpServletRequestWrapper 实现 StrutsRequestWrapper完成参数替换

import cn.hutool.http.HtmlUtil;
import org.apache.commons.lang.StringUtils;
import org.apache.struts2.dispatcher.StrutsRequestWrapper;
import org.springframework.util.CollectionUtils;

import javax.servlet.http.HttpServletRequest;
import java.util.Enumeration;
import java.util.Map;
import java.util.regex.Pattern;
public class XssHttpServletRequestWrapper extends StrutsRequestWrapper {

    HttpServletRequest orgRequest = null;

    public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {
        super(servletRequest);
        orgRequest = servletRequest;
    }
    /**
     * 重写getParameterValues方法
     * 通过循环取出每一个请求结果
     * 再对请求结果进行过滤
     * */
    public String[] getParameterValues(String parameter) {
        String[] values = super.getParameterValues(parameter);
        if (values == null) {
            return null;
        }
        int count = values.length;
        String[] encodedValues = new String[count];
        for (int i = 0; i < count; i++) {
            encodedValues[i] = cleanXSS(values[i]);
        }
        return encodedValues;
    }

    /**
     * 重写getParameter方法
     * 对请求结果进行过滤
     * */
    public String getParameter(String parameter) {
        String value = super.getParameter(parameter);
        if (value == null) {
            return null;
        }
        return cleanXSS(value);
    }

    public String getHeader(String name) {
        String value = super.getHeader(name);
        if (value == null)
            return null;
        return cleanXSS(value);
    }
    /**
     * 获取最原始的request
     *
     * @return
     */
    public HttpServletRequest getOrgRequest() {
        return orgRequest;
    }

    /**
     * 获取最原始的request的静态方法
     *
     * @return
     */
    public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
        if (req instanceof XssHttpServletRequestWrapper) {
            return ((XssHttpServletRequestWrapper) req).getOrgRequest();
        }
        return req;
    }

    @Override
    public Enumeration<String> getParameterNames() {
        Enumeration<String> names = super.getParameterNames();
        while(names.hasMoreElements()){
            String name = names.nextElement();
            name = cleanXSS(name);
        }
        return names;
    }


    @Override
    public Map getParameterMap() {
        Map paramMap = super.getParameterMap();
        if (CollectionUtils.isEmpty(paramMap)) {
            return paramMap;
        }

        for (Object value : paramMap.values()) {
            String[] str = (String[])value;
            if (str != null) {
                for (int i = 0; i < str.length; i++) {
                    str[i] = cleanXSS(str[i]);
                }
            }
        }
        return paramMap;
    }

    private String cleanXSS(String value) {
        if (StringUtils.isNotBlank(value)) {
            // 推荐使用ESAPI库来避免脚本攻击,
            value = HtmlUtil.filter(value);
            // 避免空字符串
            value = value.replaceAll(" ", "");
            // 避免script 标签
            Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // 避免src形式的表达式
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // 删除单个的 </script> 标签
            scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // 删除单个的<script ...> 标签
            scriptPattern = Pattern.compile("<script(.*?)>",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // 避免 eval(...) 形式表达式
            scriptPattern = Pattern.compile("eval\\((.*?)\\)",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // 避免 expression(...) 表达式
            scriptPattern = Pattern.compile("expression\\((.*?)\\)",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // 避免 javascript: 表达式
            scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // 避免 vbscript:表达式
            scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // 避免 onload= 表达式
            scriptPattern = Pattern.compile("onload(.*?)=",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
        }
        return value;
    }

四、pom需要引入hutool

<dependency>
            <groupId>cn.hutool</groupId>
            <artifactId>hutool-all</artifactId>
            <version>5.6.0</version>
        </dependency>

五、测试结果通过

阅读全部

相关推荐

  4. 脚本攻击xss

    2024-07-11 06:54:05       55 阅读

  5. xss脚本攻击

    2024-07-11 06:54:05       51 阅读

  6. 脚本攻击XSS

    2024-07-11 06:54:05       26 阅读

  7. XSS脚本攻击

    2024-07-11 06:54:05       23 阅读

  9. 如何防止脚本攻击XSS)和请求伪造(CSRF)等安全漏洞?

    2024-07-11 06:54:05       60 阅读

最近更新

  3. docker php8.1+nginx base 镜像 dockerfile 配置

    2024-07-11 06:54:05       53 阅读

  4. Could not load dynamic library ‘cudart64_100.dll‘

    2024-07-11 06:54:05       55 阅读

  9. 在Django里面运行非项目文件

    2024-07-11 06:54:05       46 阅读

  19. Python语言-面向对象

    2024-07-11 06:54:05       56 阅读

  20. 如何分清楚常见的 Git 分支管理策略Git Flow、GitHub Flow 和 GitLab Flow

    2024-07-11 06:54:05       51 阅读

热门阅读

  3. python 之修改host配置

    2024-07-11 06:54:05       21 阅读

  5. 使用Python + Scrapy + Django构建企业级爬虫平台

    2024-07-11 06:54:05       23 阅读

  6. Elasticsearch 自定义评分和脚本评分

    2024-07-11 06:54:05       15 阅读

  9. CentOS 7 编译安装 sqlite3

    2024-07-11 06:54:05       19 阅读

  13. 学懂C#编程:常用框架学习(三)———学会并深入理解WPF核心之MVVM模式

    2024-07-11 06:54:05       18 阅读

  20. 深入探索C++模板元编程:解锁编译时计算的强大力量

    2024-07-11 06:54:05       21 阅读

  26. 面试题目分享

    2024-07-11 06:54:05       19 阅读

  29. ChatGPT 5.0:一年后的猜想

    2024-07-11 06:54:05       21 阅读