Web漏洞处理--http host头攻击漏洞处理方案/检测到目标URL存在宽字节跨站漏洞/ 检测到目标URL存在SQL注入漏洞

1.配置web 拦截器

     
     XssSqlFilter  
     com.modules.sys.security.SessionFilter  //拦截器的位置
    
      
     XssSqlFilter  
     /*  
  

2.拦截器代码

package com.todaytech.yth.gdsd.base.Filter;  
  
import java.io.IOException;  
import java.util.Iterator;  
import java.util.Map;  
import javax.servlet.Filter;  
import javax.servlet.FilterChain;  
import javax.servlet.FilterConfig;  
import javax.servlet.ServletException;  
import javax.servlet.ServletRequest;  
import javax.servlet.ServletResponse;  
import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletResponse;  
import org.apache.commons.lang.StringUtils;  
import org.apache.log4j.Logger;  
  
  
public class SessionFilter implements Filter {  
    private static Logger log = Logger.getLogger(SessionFilter.class);  
  
    public void destroy() { }  
  
    public void doFilter(ServletRequest servletRequest,  
            ServletResponse servletResponse, FilterChain filterChain)  
            throws IOException, ServletException {  
        HttpServletRequest request = (HttpServletRequest) servletRequest;  
        HttpServletResponse response = (HttpServletResponse) servletResponse;  
        String requestStr = getRequestString(request);  
        System.out.println("requestStr: ======================== " + requestStr);  
        System.out.println("完整的地址是====" + request.getRequestURL().toString());  
        System.out.println("提交的方式是========" + request.getMethod());  
        log.info("requestStr: ======================== " + requestStr);  
        log.info("完整的地址是====" + request.getRequestURL().toString());  
        log.info("提交的方式是========" + request.getMethod());  
  
        if ("bingo".equals(guolv2(requestStr))  
                || "bingo".equals(guolv2(request.getRequestURL().toString()))) {  
            System.out.println("======访问地址发现非法字符,已拦截======");  
            log.info("======访问地址发现非法字符,已拦截======其非法地址为:"+guolv2(request.getRequestURL().toString()));  
            response.sendRedirect(request.getContextPath() + "/login.jsp");  
            return;  
        }  
        // 主机ip和端口 或 域名和端口  
        String myhosts = request.getHeader("host");  
        if (!StringUtils.equals(myhosts, "xx.xx.xxx.xxx:xxxx")  
                && !StringUtils.equals(myhosts, "xx.xx.xxx.xxx:xxxx")  
                && !StringUtils.equals(myhosts, "xx.xx.xxx.xxx:xxxx")  
                && !StringUtils.equals(myhosts, "xx.xx.xxx.xxx")  
                && !StringUtils.equals(myhosts, "xx.xx.xxx.xxx")  
                && !StringUtils.equals(myhosts, "xx.xx.xxx.xxx")) {  
            System.out.println("======访问host非法,已拦截======其非法host为:"+myhosts);  
            log.info("======访问host非法,已拦截======其非法host为:"+myhosts);  
            response.sendRedirect(request.getContextPath() + "/login.jsp");  //或者response.setStatus(403);
            return;  
        }  
  
        String currentURL = request.getRequestURI();  
        // add by wangsk 过滤请求特殊字符,扫描跨站式漏洞  
        Map parameters = request.getParameterMap();  
        if (parameters != null && parameters.size() > 0) {  
            for (Iterator iter = parameters.keySet().iterator(); iter.hasNext();) {  
                String key = (String) iter.next();  
                String[] values = (String[]) parameters.get(key);  
                for (int i = 0; i < values.length; i++) {  
                    values[i] = guolv(values[i]);  
                    System.out.println(values[i]);  
                }  
            }  
        }  
      filterChain.doFilter(servletRequest, servletResponse);return;
    }  
  
    public void init(FilterConfig filterConfig) throws ServletException {  
  
    }  
  
    public static String guolv(String a) {  
        a = a.replaceAll("%22", "");  
        a = a.replaceAll("%27", "");  
        a = a.replaceAll("%3E", "");  
        a = a.replaceAll("%3e", "");  
        a = a.replaceAll("%3C", "");  
        a = a.replaceAll("%3c", "");  
        a = a.replaceAll("<", "");  
        a = a.replaceAll(">", "");  
        a = a.replaceAll("\"", "");  
        a = a.replaceAll("'", "");  
        a = a.replaceAll("\\+", "");  
        a = a.replaceAll("\\(", "");  
        a = a.replaceAll("\\)", "");  
        a = a.replaceAll(" and ", "");  
        a = a.replaceAll(" or ", "");  
        a = a.replaceAll(" 1=1 ", "");  
        return a;  
    }  
  
    private String getRequestString(HttpServletRequest req) {  
        String requestPath = req.getServletPath().toString();  
        String queryString = req.getQueryString();  
        if (queryString != null)  
            return requestPath + "?" + queryString;  
        else  
            return requestPath;  
    }  
  
    public String guolv2(String a) {  
        if (StringUtils.isNotEmpty(a)) {  
            if (a.contains("%22") || a.contains("%3E") || a.contains("%3e")  
                    || a.contains("%3C") || a.contains("%3c")  
                    || a.contains("<") || a.contains(">") || a.contains("\"")  
                    || a.contains("'") || a.contains("+") || /* 
                                                             * a.contains("%27") 
                                                             * || 
                                                             */  
                    a.contains(" and ") || a.contains(" or ")  
                    || a.contains("1=1") || a.contains("(") || a.contains(")")) {  
                return "bingo";  
            }  
        }  
        return a;  
    }  
  
}  

你可能感兴趣的:(Java)