XSS漏洞通过HttpServletRequestWrapper实现
- 目前对XSS漏洞要求修复,考虑通过拦截器来统一处理request的参数,对XSS相关的js脚本进行过滤替换,从来来实现漏洞修复。
- 但是HttpServletRequest中的参数是无法改变的,若是手动执行修改request中的参数,则会抛出异常。我们可以利用HttpServletRequestWrapper包装HttpServletRequest,在Wrapper中实现参数的修改,然后用HttpServletRequestWrapper替换HttpServletRequest,这样就实现了参数的修改设置。
- 下面是实现步骤:
- 继承HttpServletRequestWrapper,实现一个自己的XSSRequestWrapper来更改request的参数。
我们在servlet中通过request来获取参数的方法大概有几个:getParameter、getAttribute、getParameterMap等等,所以必须在XSSRequestWrapper里面重写这些方法,才能够在servlet中调用上面的方法来获取参数的时候,对参数中的XSS敏感脚本进行处理,在这里我之重写了这三个方法,如果你们有用到其他方法来获取参数,请重写这些方法以达到修改参数的目的
package cn.com.easy.filter;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Vector;
import java.util.regex.Pattern;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.io.IOUtils;
public class XSSRequestWrapper extends HttpServletRequestWrapper {
private Map parameterMap; // 所有参数的Map集合
private HttpServletRequest request;
public XSSRequestWrapper(HttpServletRequest request) {
super(request);
parameterMap = request.getParameterMap();
this.request = request;
}
/* 获取所有参数名
*
* @return 返回所有参数名
*/
@Override
public Enumeration getParameterNames() {
Vector vector = new Vector(parameterMap.keySet());
return vector.elements();
}
@Override
public ServletInputStream getInputStream() {
String bizBindMsg = null;
ServletInputStream stream = null;
try {
stream = request.getInputStream();
bizBindMsg = IOUtils.toString(stream, "UTF-8");
} catch (IOException e) {
e.printStackTrace();
}
try {
bizBindMsg = URLDecoder.decode(bizBindMsg.toString(), "UTF-8");
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
//System.out.println("RequestWrapper接收到的请求为: " + bizBindMsg);
bizBindMsg = stripXSS(bizBindMsg);
/**
* 将解密后的明文串放到buffer数组中
*/
byte[] buffer = null;
try {
buffer = bizBindMsg.getBytes("UTF-8");
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
final ByteArrayInputStream bais = new ByteArrayInputStream(buffer);
ServletInputStream newStream = new ServletInputStream() {
@Override
public int read() throws IOException {
return bais.read();
}
};
return newStream;
}
/* @Override
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values == null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = StringEscapeUtils.escapeHtml(values[i]);
encodedValues[i] = stripXSS(encodedValues[i]);
}
System.out.println("2222参数名:"+parameter+"的原始值为"+values+",替换后为:"+encodedValues);
return encodedValues;
}*/
@Override
public String getParameter(String parameter) {
String[] value = parameterMap.get(parameter);
if (value != null){
//System.out.println("参数名:"+parameter+"的原始值为"+value[0]+",替换后为:"+stripXSS(value[0]));
return stripXSS(value[0]);
}
return null;
}
/**
* 获取attribute,特殊字符过滤
*/
@Override
public Object getAttribute(String parameter) {
Object value = super.getAttribute(parameter);
if (value != null && value instanceof String) {
stripXSS((String) value);
//System.out.println("参数名33:"+parameter+"的原始值为"+value+",替换后为:"+stripXSS((String) value));
return stripXSS((String) value);
}else{
return value;
}
}
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
return stripXSS(value);
}
/**
* 获取指定参数名的所有值的数组,如:checkbox的所有数据
* 接收数组变量 ,如checkobx类型
*/
@Override
public String[] getParameterValues(String name) {
return parameterMap.get(name);
}
@Override
public Map getParameterMap() {
Map newMap = new HashMap();
for (Entry entry : parameterMap.entrySet()) {
newMap.put(entry.getKey(), new String[]{stripXSS(entry.getValue()[0])});
}
return newMap;
}
public void setParameterMap(Map parameterMap) {
this.parameterMap = parameterMap;
}
private String stripXSS(String value) {
if (value != null) {
value = value.replaceAll("", "");
Pattern scriptPattern = Pattern.compile("", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("" ,
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("eval\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("expression\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("onload(.*?)=",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("alert\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("window.location(.*?)=",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("unescape\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("execscript\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("msgbox\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("confirm\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("prompt\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
}
return value;
}
private String cleanXSS(String value) {
// You'll need to remove the spaces from the html entities below
value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
value = value.replaceAll("'", "& #39;");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
return value;
}
}
2.编写过滤器XssFilter
package cn.com.easy.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class XssFilter implements Filter{
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
XSSRequestWrapper xSSRequestWrapper = new XSSRequestWrapper((HttpServletRequest) request);
chain.doFilter(xSSRequestWrapper, response);
}
@Override
public void destroy() {
}
}
3.配置web.xml,在里面增加过滤器
<filter>
<filter-name>XSSFiler2filter-name>
<filter-class>
cn.com.easy.filter.XssFilter
filter-class>
filter>
<filter-mapping>
<filter-name>XSSFiler2filter-name>
<url-pattern>*.eurl-pattern>
filter-mapping>
<filter-mapping>
<filter-name>XSSFiler2filter-name>
<url-pattern>*.jspurl-pattern>
filter-mapping>这样可以有效的解决XSS漏洞了。
最后说一下在解决此漏洞的过程中出现的一些问题和解决思路
- 刚开始在XSSRequestWrapper中我只是实现了getParameter方法,这样就导致有的方法能替换参数中的脚本,有的不能替换,后来发现在servlet中获取参数的方法是有多个的,所以如果出现有的参数不能被处理的时候,就应该是在servlet中通过request获取参数的方法在XSSRequestWrapper中并没有实现引起的。