AppScan扫描安全问题解决实录-跨站点脚本编制
问题分析
未对用户可控制的输入正确进行无害化处理,就将其放置到充当 Web 页面的输出中。这可被跨站点脚本编制攻击利用。
白话解析:攻击者将脚本作为参数发送到被攻击的接口,然后接口直接返回语句到页面,那么页面就会执行攻击者的脚本。攻击者可以利用脚本获取token、cookie等信息,进而下一步攻击。
解决方案一
Apache配置解决方案:
1开放module
LoadModule security2_module modules/mod_security2.so
2添加如下配置
SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyNoFilesLimit 5242880
SecAuditEngine RelevantOnly
SecAuditLog logs/audit/audit.log
SecAuditLogParts ABCFHZ
SecDebugLog logs/sec.log
SecDebugLogLevel 1
SecAuditLogType Serial
SecAuditLogStorageDir logs/audit
SecAuditLogRelevantStatus ^(?:5|4(?!04))
SecRule REQUEST_URI "
SecRule REQUEST_URI "<{|}*script" nolog,deny,status:404
SecRule REQUEST_URI "<.+>" nolog,deny,status:404
SecRule REQUEST_URI "'.+'" nolog,deny,status:404
SecRule REQUEST_URI "%3E.+%3C" nolog,deny,status:404
#SecRule REQUEST_BODY "%3E.+%3C" nolog,deny,status:404
#SecRule REQUEST_BODY "<.+>" nolog,deny,status:404
#SecRule REQUEST_BODY "<{|}*script" nolog,deny,status:404
#SecRule REQUEST_BODY "'.+'" nolog,deny,status:404
#SecRule REQUEST_BODY "%3E" nolog,deny,status:404
SecRule REQUEST_URI "alert" nolog,deny,status:404
SecRule REQUEST_URI "onMouseOver" nolog,deny,status:404
SecRule REQUEST_URI "onmouseover" nolog,deny,status:404
SecRule REQUEST_URI "onclick" nolog,deny,status:404
SecRule REQUEST_URI "onfocus" nolog,deny,status:404
SecRule REQUEST_COOKIES "<{|}*script" nolog,deny,status:404
SecRule REQUEST_COOKIES|REQUEST_URI|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i:(\!\=|\&\&|\|\||>>|<<|>=|<=|<>|<=>|\sxor\s|\srlike\s|\sregexp\s|\sisnull)|(?:not\s+between\s+0\s+and)|(?:\sis\s+null)|(\slike\s+null)|(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\))|(?:\sxor\s|<>|\srlike(?:\s+binary)?)|(?:\sregexp\s+binary\s))" "phase:2,rev:'2.2.2',capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: SQL Operator Detected',id:'981212',logdata:'%{TX.0}',severity:'2',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
解决方案二
程序添加跨站脚本过滤器XssFilter,代码如下
XssFilter.java
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
public class XSSFilter implements Filter {
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
(HttpServletRequest) request);
chain.doFilter(xssRequest, response);
}
public void destroy() {
}
}XssHttpServletRequestWrapper
import java.util.Iterator;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
import org.owasp.validator.html.PolicyException;
import org.owasp.validator.html.ScanException;
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private static Policy policy = null;
static {
// String path =
// URLUtility.getClassPath(XssRequestWrapper.class)+File.separator+"antisamy-anythinggoes-1.4.4.xml";
String path = XssHttpServletRequestWrapper.class.getResource("antisamy-anythinggoes-1.4.4.xml").getFile();
// System.out.println("policy_filepath:" + path);
if (path.startsWith("file")) {
path = path.substring(6);
}
try {
policy = Policy.getInstance(path);
} catch (PolicyException e) {
e.printStackTrace();
}
}
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
@SuppressWarnings({ "rawtypes", "unchecked" })
public Map getParameterMap() {
Map request_map = super.getParameterMap();
Iterator iterator = request_map.entrySet().iterator();
// System.out.println("request_map" + request_map.size());
while (iterator.hasNext()) {
Map.Entry me = (Map.Entry) iterator.next();
// System.out.println(me.getKey()+":");
String[] values = (String[]) me.getValue();
for (int i = 0; i < values.length; i++) {
// System.out.println(values[i]);
values[i] = xssClean(values[i]);
}
}
return request_map;
}
@Override
public String[] getParameterValues(String paramString) {
String[] arrayOfString1 = super.getParameterValues(paramString);
if (arrayOfString1 == null)
return null;
int i = arrayOfString1.length;
String[] arrayOfString2 = new String[i];
for (int j = 0; j < i; j++)
arrayOfString2[j] = xssClean(arrayOfString1[j]);
return arrayOfString2;
}
@Override
public String getParameter(String paramString) {
String str = super.getParameter(paramString);
if (str == null)
return null;
return xssClean(str);
}
@Override
public String getHeader(String paramString) {
String str = super.getHeader(paramString);
if (str == null)
return null;
return xssClean(str);
}
private String xssClean(String value) {
AntiSamy antiSamy = new AntiSamy();
try {
// CleanResults cr = antiSamy.scan(dirtyInput, policyFilePath);
final CleanResults cr = antiSamy.scan(value, policy);
// 安全的HTML输出
return cr.getCleanHTML();
} catch (ScanException e) {
e.printStackTrace();
} catch (PolicyException e) {
e.printStackTrace();
}
return value;
}
} antisamy-anythinggoes-1.4.4.xml
g
grin
i
web.xml配置过滤器
xssFilter
com.inspur.filter.xss.XSSFilter
xssFilter
/*