XSS安全漏洞修复解决方案
背景:等保测评公司针对我系统进行了一次渗透测试,并发现存在XSS漏洞,现记录修复过程。
框架:SSM。
全站XSS:
漏洞风险等级:中危
涉及页面:全站存在内容输入处
漏洞描述:所有模块可以修改内容处存在XSS,填入恶意代码后触发。
修复建议:过滤所有输入内容。(防止恶意弹窗/跨站脚本/过滤敏感字符/违法信息等)
解决方案
列举方案1:写个DispatcherServlet
import javax.servlet.http.HttpServletRequest;
import org.springframework.stereotype.Controller;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.DispatcherServlet;
import org.springframework.web.servlet.HandlerExecutionChain;
@SuppressWarnings("serial")
public class DispatcherServletWrapper extends DispatcherServlet {
@Override
protected HandlerExecutionChain getHandler(HttpServletRequest request) throws Exception {
HandlerExecutionChain chain = super.getHandler(request);
Object handler = chain.getHandler();
if (!(handler instanceof HandlerMethod)) {
return chain;
}
HandlerMethod hm = (HandlerMethod)handler;
if (!hm.getBeanType().isAnnotationPresent(Controller.class)) {
return chain;
}
//仅处理@Controller注解的Bean
return new HandlerExecutionChainWrapper(chain,request,getWebApplicationContext());
}
}在getHandler中返回HandlerExecutionChainWrapper
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.cglib.proxy.Enhancer;
import org.springframework.cglib.proxy.MethodInterceptor;
import org.springframework.cglib.proxy.MethodProxy;
import org.springframework.util.ReflectionUtils;
import org.springframework.util.ReflectionUtils.FieldCallback;
import org.springframework.util.ReflectionUtils.FieldFilter;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerExecutionChain;
import org.springframework.web.util.HtmlUtils;
public class HandlerExecutionChainWrapper extends HandlerExecutionChain {
private BeanFactory beanFactory;
private HttpServletRequest request;
private HandlerMethod handlerWrapper;
private byte[] lock = new byte[0];
public HandlerExecutionChainWrapper(HandlerExecutionChain chain,
HttpServletRequest request,
BeanFactory beanFactory) {
super(chain.getHandler(),chain.getInterceptors());
this.request = request;
this.beanFactory = beanFactory;
}
@Override
public Object getHandler() {
if (handlerWrapper != null) {
return handlerWrapper;
}
synchronized (lock) {
if (handlerWrapper != null) {
return handlerWrapper;
}
HandlerMethod superMethodHandler = (HandlerMethod)super.getHandler();
Object proxyBean = createProxyBean(superMethodHandler);
handlerWrapper = new HandlerMethod(proxyBean,superMethodHandler.getMethod());
return handlerWrapper;
}
}
/**
* 为Controller Bean创建一个代理实例,以便用于 实现调用真实Controller Bean前的切面拦截
* 用以过滤方法参数中可能的XSS注入
* @param handler
* @return
*/
private Object createProxyBean(HandlerMethod handler) {
try {
Enhancer enhancer = new Enhancer();
enhancer.setSuperclass(handler.getBeanType());
Object bean = handler.getBean();
if (bean instanceof String) {
bean = beanFactory.getBean((String)bean);
}
ControllerXssInterceptor xss = new ControllerXssInterceptor(bean);
xss.setRequest(this.request);
enhancer.setCallback(xss);
return enhancer.create();
}catch(Exception e) {
throw new IllegalStateException("为Controller创建代理失败:"+e.getMessage(), e);
}
}
public static class ControllerXssInterceptor implements MethodInterceptor {
private Object target;
private HttpServletRequest request;
private List objectMatchPackages;
public ControllerXssInterceptor(Object target) {
this.target = target;
this.objectMatchPackages = new ArrayList();
this.objectMatchPackages.add("com.jwell");
}
public void setRequest(HttpServletRequest request) {
this.request = request;
}
@Override
public Object intercept(Object obj, Method method, Object[] args,
MethodProxy proxy)
throws Throwable {
//对Controller的方法参数进行调用前处理
//过滤String类型参数中可能存在的XSS注入
if (args != null) {
for (int i=0;i web.xml 替换DispatcherServlet
SpringMVC
org.springframework.web.servlet.DispatcherServlet
contextConfigLocation
classpath:spring-mvc-bpbj.xml
1
true
再次测试,已解决,不过此方案本人不推荐,原因(会影响业务,谁用谁知道 哈哈~)
列举方案2:写个filter(推荐)
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class XssFilter implements Filter{
FilterConfig filterConfig = null;
@Override
public void destroy() {
// TODO Auto-generated method stub
this.filterConfig = null;
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
// TODO Auto-generated method stub
chain.doFilter(new XssShellInterceptor( (HttpServletRequest) request), response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// TODO Auto-generated method stub
this.filterConfig = filterConfig;
}XssShellInterceptor类(HttpServletRequestWrapper)
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class XssShellInterceptor extends HttpServletRequestWrapper{
public XssShellInterceptor(HttpServletRequest request) {
super(request);
}
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values==null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = cleanXSS(values[i]);
}
return encodedValues;
}
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
if (value == null) {
return null;
}
return cleanXSS(value);
}
public String getHeader(String name) {
String value = super.getHeader(name);
if (value == null)
return null;
return cleanXSS(value);
}
//过滤规则 目前我只配了过滤 script
private String cleanXSS(String value) {
//value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
//value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
//value = value.replaceAll("'", "& #39;");
//value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
return value;
}
}web.xml 添加filter
XssFilter
com.xx.xx.bmms.web.filter.XssFilter
XssFilter
/*
再次测试,已解决。注意:如果web.xml中有多个filter 注意执行顺序。