上一篇 <<<工厂相关模式(Factory Pattern)
下一篇 >>>Web常用攻击手段-SQL注入
XSS攻击使用Javascript脚本注入进行攻击,常见于评论等表单提交。脚本里可以写任何东西,比如读取本地cookie远程发送给黑客服务器端。
最好使用火狐浏览器演示效果,google浏览器缓存现象严重
解决思路:
对特殊脚本进行转义---
- a、编写过滤器拦截所有getParameter参数
- b、重写httpservletwrapp方法,将参数特殊字符转换成html源代码保存.
//转换类
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
@Override
public String getParameter(String name) {
// 获取之前的参数
String olValue = super.getParameter(name);
System.out.print("原来参数:" + olValue);
if (!StringUtils.isEmpty(olValue)) {
// 将特殊字符转换成html展示 // 3.使用(StringEscapeUtils.escapeHtml(name)转换特殊参数
olValue = StringEscapeUtils.escapeHtml(olValue);
System.out.println("转换后" + olValue);
}
System.out.println();
return olValue;
}
}
//过滤器
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
// 程序防止XSS攻击原理
// 1. 使用过滤器拦截所有参数
HttpServletRequest req = (HttpServletRequest) request;
// 2.重新getParameter方法
XssHttpServletRequestWrapper xssHttpServletRequestWrapper = new XssHttpServletRequestWrapper(req);
// 放行程序,继续往下执行
chain.doFilter(xssHttpServletRequestWrapper, response);
}
- c、关键字过滤
"javascript", "window.location", "window.", ".location", "document.cookie", ".cookie",
"document.", "alert(", "window.open", "", "noscript", "confirm(",
"prompt", "oncontrolselect", "oncopy", "oncut", "ondataavailable", "ondatasetchanged",
"ondatasetcomplete", "ondblclick", "ondeactivate", "ondrag", "ondragend", "ondragenter", "ondragleave",
"ondragover", "ondragstart", "ondrop", "onerror", "onerroupdate", "onfilterchange", "onfinish",
"onfocus", "onfocusin", "onfocusout", "onhelp", "onkeydown", "onkeypress", "onkeyup",
"onlayoutcomplete", "onload", "onlosecapture", "onmousedown", "onmouseenter", "onmouseleave",
"onmousemove", "onmousout", "onmouseover", "onmouseup", "onmousewheel", "onmove", "onmoveend",
"onmovestart", "onabort", "onactivate", "onafterprint", "onafterupdate", "onbefore",
"onbeforeactivate", "onbeforecopy", "onbeforecut", "onbeforedeactivate", "onbeforeeditocus",
"onbeforepaste", "onbeforeprint", "onbeforeunload", "onbeforeupdate", "onblur", "onbounce",
"oncellchange", "onchange", "onclick", "oncontextmenu", "onpaste", "onpropertychange",
"onreadystatechange", "onreset", "onresize", "onresizend", "onresizestart", "onrowenter", "onrowexit",
"onrowsdelete", "onrowsinserted", "onscroll", "onselect", "onselectionchange", "onselectstart",
"onstart", "onstop", "onsubmit", "onunload", "onhaschange", "onmessage", "onoffline", "ononline",
"onpagehide", "onpageshow", "onpopstate", "onredo", "onstorage", "onundo", "onformchange",
"onforminput", "oninput", "oninvalid", "onmouseout", "onmouseover", "oncanplay", "oncanplaythrough",
"ondurationchange", "onemptied", "onended", "onloadeddata", "onloadedmetadata", "onloadstart",
"onpause", "onplay", "onplaying", "onprogress", "onratechange", "onseeked", "onseeking", "onstalled",
"onsuspend", "ontimeupdate", "onvolumechange", "onwaiting", "eval(", "setTimeout", "setInterval"
相关文章链接:
<<
<<<安全技术--Https相关知识
<<<安全技术--接口幂等性设计
<<<安全框架--SpringSecurity
<<<安全框架--JWT
<<<安全框架--OAuth2
<<<安全架构整体设计方案