Java防止XSS(跨站脚本攻击)攻击的常用方法总结

一、什么是XSS攻击?

XSS攻击:跨站脚本攻击(Cross Site Scripting),为不和层叠样式表(Cascading Style Sheets, CSS)的缩写混淆,
故将跨站脚本攻击缩写为XSS

二、如何预防XSS攻击呢?

  1. 自己写 filter 拦截来实现,但要注意的时,在WEB.XM 中配置 filter的时候,请将这个 filter 放在第一位.
  2. 采用开源的实现 ESAPI library ,参考网址:https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
  1. 可以采用spring 里面提供的工具类来实现.

第一种方法:配置过滤器

public class XSSFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }
    @Override
    public void destroy() {
    }
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response);
    }
}

再实现 ServletRequest 的包装类

import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class XSSRequestWrapper extends HttpServletRequestWrapper {
    public XSSRequestWrapper(HttpServletRequest servletRequest) {
        super(servletRequest);
    }
    @Override
    public String[] getParameterValues(String parameter) {
        String[] values = super.getParameterValues(parameter);
        if (values == null) {
            return null;
        }
        int count = values.length;
        String[] encodedValues = new String[count];
        for (int i = 0; i < count; i++) {
            encodedValues[i] = stripXSS(values[i]);
        }
        return encodedValues;
    }
    @Override
    public String getParameter(String parameter) {
        String value = super.getParameter(parameter);
        return stripXSS(value);
    }
    @Override
    public String getHeader(String name) {
        String value = super.getHeader(name);
        return stripXSS(value);
    }
    private String stripXSS(String value) {
        if (value != null) {
            // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
            // avoid encoded attacks.
            // value = ESAPI.encoder().canonicalize(value);
            // Avoid null characters
            value = value.replaceAll("", "");
            // Avoid anything between script tags
            Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // Avoid anything in a src="http://www.yihaomen.com/article/java/..." type of e­xpression
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // Remove any lonesome </script> tag
            scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // Remove any lonesome <script ...> tag
            scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // Avoid eval(...) e­xpressions
            scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // Avoid e­xpression(...) e­xpressions
            scriptPattern = Pattern.compile("e­xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // Avoid javascript:... e­xpressions
            scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // Avoid vbscript:... e­xpressions
            scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // Avoid onload= e­xpressions
            scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
        }
        return value;
    }
}

例子中注释的部分,就是采用 ESAPI library 来防止XSS攻击的,推荐使用.

当然,我还看到这样一种办法,将所有的编程全角字符的解决方式,但个人觉得并没有上面这种用正则表达式替换的好.

private static String xssEncode(String s) {
    if (s == null || s.equals("")) {
        return s;
    }
    StringBuilder sb = new StringBuilder(s.length() + 16);
    for (int i = 0; i < s.length(); i++) {
        char c = s.charAt(i);
        switch (c) {
            case '>':
                sb.append('>');// 全角大于号
                break;
            case '<':
                sb.append('<');// 全角小于号
                break;
            case '\'':
                sb.append('\\');
                sb.append('\'');
                sb.append('\\');
                sb.append('\'');
                break;
            case '\"':
                sb.append('\\');
                sb.append('\"');// 全角双引号
                break;
            case '&':
                sb.append('&');// 全角
                break;
            case '\\':
                sb.append('\');// 全角斜线
                break;
            case '#':
                sb.append('#');// 全角井号
                break;
            case ':':
                sb.append(':');// 全角冒号
                break;
            case '%':
                sb.append("\\\\%");
                break;
            default:
                sb.append(c);
                break;
        }
    }
    return sb.toString();
}

当然,还有如下更简单的方式(这种实际上不好,会导致一些转换丢失的问题):

private String cleanXSS(String value) {

    value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
    value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
    value = value.replaceAll("'", "& #39;");
    value = value.replaceAll("eval\\((.*)\\)", "");
    value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
    value = value.replaceAll("script", "");
    return value;
}

在后台或者用spring 如何实现呢:

首先添加一个jar包:commons-lang-2.5.jar ,然后在后台调用这些函数:

StringEscapeUtils.escapeHtml(string);
StringEscapeUtils.escapeJavaScript(string);
StringEscapeUtils.escapeSql(string);

当然,在spring 里面好像有一个 HtmlUtils.htmlEscape , 同样可以做到 过滤 XSS 攻击。

下面是一个spring的org.springframework.web.util.HtmlUtils应用实例

1.首先编写过滤器:

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

public class XssFilter implements Filter {

    public void init(FilterConfig filterConfig) throws ServletException {

    }

    public void doFilter(ServletRequest request, ServletResponse response,
                         FilterChain chain) throws IOException, ServletException {
        request = new XssHttpServletRequestWraper((HttpServletRequest) request);
        chain.doFilter(request, response);

    }

    public void destroy() {

    }

}

2.继承HttpServletRequestWrapper:

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.util.HtmlUtils;

/** 继承HttpServletRequestWrapper类解决XSS跨站脚本攻击和sql注入攻击 */
public class XssHttpServletRequestWraper extends HttpServletRequestWrapper {
    private Logger logger = LoggerFactory
            .getLogger(XssHttpServletRequestWraper.class); // 日志

    public XssHttpServletRequestWraper(HttpServletRequest request) {
        super(request);
    }

    /** 截获参数值并进行字符转义:重写以下三个方法,清除特殊字符 */
    @Override
    public String getParameter(String name) {
        // Spring的HtmlUtils进行转义
        return HtmlUtils.htmlEscape(super.getParameter(name));
    }

    @Override
    public String getHeader(String name) {
        // Spring的HtmlUtils进行转义
        return HtmlUtils.htmlEscape(super.getHeader(name));
    }

    @Override
    public String[] getParameterValues(String name) {
        String[] values = super.getParameterValues(name);
        String[] newvalues = new String[values.length];
        for (int i = 0; i < values.length; i++) {
            // Spring的HtmlUtils进行转义
            newvalues[i] = HtmlUtils.htmlEscape(values[i]);

        }
        return newvalues;
    }

}

3.在WEB-INF/web.xml配置过滤器:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
   http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

    <display-name></display-name>
    <!-- 加载配置信息 -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:spring.xml;classpath:mybatis.xml
        </param-value>
    </context-param>
    
    <!-- 跨站脚本攻击过滤器 -->
    <filter>
        <filter-name>XssFilter</filter-name>
        <filter-class>com.xxx.xxx.XssFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>XssFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    
    <!-- 加载spring -->
    <listener>
        <description>spring监听器</description>
        <listener-class>org.springframework.web.context.ContextLoaderListener
        </listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.web.util.IntrospectorCleanupListener
        </listener-class>
    </listener>

    <!-- 加载spring mvc -->
    <servlet>
        <description>spring mvc servlet</description>
        <servlet-name>springMvc</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet
        </servlet-class>
        <init-param>
            <description>spring mvc 配置文件</description>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:spring-mvc.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>springMvc</servlet-name>
        <url-pattern>/</url-pattern>
        <!--      <url-pattern>*.do</url-pattern> -->
    </servlet-mapping>
    
    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
</web-app>

至此spring自带的拦截xss攻击的工具实例完成。当你提交数据时,会自动过滤xss攻击字符,若是要转回原来的格式,可是使用以下代码:

//Spring的HtmlUtils进行还原
String huanyuan=HtmlUtils.htmlUnescape(result);

简而言之,就是下面一个实例:

import org.springframework.web.util.HtmlUtils;
public class Test {

    /**
     * @param args
     */
    public static void main(String[] args) {
        String html="<?xml version=\"1.0\" encoding=\"utf-8\"?>\n" +
                "<LinearLayout xmlns:android=\"http://schemas.android.com/apk/res/android\"\n" +
                "    xmlns:app=\"http://schemas.android.com/apk/res-auto\"\n" +
                "    xmlns:tools=\"http://schemas.android.com/tools\"\n" +
                "    android:layout_width=\"match_parent\"\n" +
                "    android:layout_height=\"wrap_content\"\n" +
                "    android:paddingLeft=\"10dp\"\n" +
                "    android:paddingRight=\"10dp\"\n" +
                "    android:orientation=\"vertical\">\n" +
                "\n" +
                "</LinearLayout>";

        // Spring的HtmlUtils进行转义
        String result=HtmlUtils.htmlEscape(html);
        System.out.println(" Spring的HtmlUtils进行转义:\n"+result);


        //Spring的HtmlUtils进行还原
        String huanyuan=HtmlUtils.htmlUnescape(result);
        System.out.println(" Spring的HtmlUtils进行还原:\n"+huanyuan);

    }

}

如果此博文帮助到你,麻烦点个赞哈!

发表回复

后才能评论