跨站点请求伪造 跨站点脚本编制 通过框架钓鱼漏洞

1、跨站点请求伪造 跨站点脚本编制 通过框架钓鱼漏洞

主要是通过在url或参数中添加脚本如：

1、URL中添加

2、参数value=。

添加一个过滤器对特殊字符进行拦截

package com.xxx.sys.filter;

import java.io.IOException;
import java.util.Enumeration;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.log4j.Logger;

/**
 * 非法字符过滤器
 * 1.所有非法字符配置在web.xml中，如需添加新字符，请自行配置
 * 2.请注意请求与相应时的编码格式设置，否则遇到中文时，会出现乱码(GBK与其子集应该没问题)
 * @author lee
 *
 */
public class CharFilter implements Filter {
	private Logger log = Logger.getLogger(CharFilter.class);
	private String encoding;
	private String[] legalNames;
	private String[] illegalChars;
	
	public void init(FilterConfig filterConfig) throws ServletException {
		encoding = filterConfig.getInitParameter("encoding");
		legalNames = filterConfig.getInitParameter("legalNames").split(",");
		illegalChars = filterConfig.getInitParameter("illegalChars").split(",");
	}
	
	public void destroy() {
		encoding = null;
		legalNames = null;
		illegalChars = null;
	}
	

	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain filterChain) throws IOException, ServletException {
		
		HttpServletRequest req = (HttpServletRequest)request;
		HttpServletResponse res = (HttpServletResponse) response;
		
		//必须手动指定编码格式
		req.setCharacterEncoding(encoding);
		String tempURL = req.getRequestURI(); 
		log.info(tempURL);
		Enumeration params = req.getParameterNames();
		
		//是否执行过滤  true：执行过滤  false：不执行过滤
		boolean executable = true;
		
		//非法状态  true：非法  false；不非法
		boolean illegalStatus = false;
		String illegalChar = "";
		//对参数名与参数进行判断
		w:while(params.hasMoreElements()){
			
			String paramName = (String) params.nextElement();
			
			executable = true;
			
			//密码不过滤
			if(paramName.toLowerCase().contains("password")){
				executable = false;
			}else{
				//检查提交参数的名字，是否合法，即不过滤其提交的值
				f:for(int i=0;iwindow.alert('当前链接中存在非法字符');window.history.go(-1);");
		}else{
			filterChain.doFilter(request, response);
		}
	}

}

web.xml code

		charFilter
		com.xxx.sys.filter.CharFilter
		
			encoding
			UTF-8
		
		
			legalNames
			content1,ver,historyURL,listURL
		
		
			illegalChars
			|,$,@,',",\',\",<,>,(,),+,CR,LF,\",",\,http