欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

web前端安全防范对策

程序员文章站 2022-03-05 12:05:23
...

xss攻击

  • filter过滤前端的传参

request包装类


public class InjectionAttackWrapper extends HttpServletRequestWrapper {
    private static final String EVENTS = "((?i) onload|onunload|onchange|onsubmit|onreset"
            + "|onselect|onblur|onfocus|onkeydown|onkeypress|onkeyup|onerror|script|alert"
            + "|onclick|ondblclick|onmousedown|onmousemove|onmouseout|onfScripTocus|alscRiPtert|onmouseover|onmouseup)";
    private static final String XSS_HTML_TAG = "(%3C)|(%3E)|[<>]+";
    private static final String XSS_INJECTION = "((%22%20)|(%22\\s)|('%22)|(%22\\+))\\w.*|(\\s|%20)"
            + EVENTS + ".*|(%3D)|(%7C)";
    private static final String XSS_REGEX = XSS_HTML_TAG + "|" + XSS_INJECTION;
    private static final String SQL_REGEX = "('.+--)|(--)|(\\|)|(%7C)";

    private static final String HTTPEVENTS = "((?i)href|location|window|src|<|>|%3C|%3E)";

    boolean filterXSS = true;
    boolean filterSQL = true;
    boolean filterWhite=true;
    boolean filterHttpXss=false;


    public boolean isFilterHttpXss() {
        return filterHttpXss;
    }


    public void setFilterHttpXss(boolean filterHttpXss) {
        this.filterHttpXss = filterHttpXss;
    }




    private byte[] body;

    public InjectionAttackWrapper(HttpServletRequest request,
            boolean filterXSS, boolean filterSQL,boolean filterWhite,boolean filterHttpXss) {
        super(request);
        this.filterXSS = filterXSS;
        this.filterSQL = filterSQL;
        this.filterHttpXss = filterHttpXss;
        String contentType = request.getContentType();
        if(StringUtils.isNotBlank(contentType) && StringUtils.indexOf(contentType, "application/json") >= 0) {
            try {
                body = IOUtils.toByteArray(super.getInputStream());
            } catch (IOException e) {
                e.printStackTrace();
            }
        }

    }


    public InjectionAttackWrapper(HttpServletRequest request) {
        this(request, true, true,false,false);
    }

    @Override
    public String getParameter(String name) {
        String value = super.getParameter(name);
        return filterParamString(value);
    }

    @Override
    public Map<String, String[]> getParameterMap() {

        Map<String, String[]> rawMap = super.getParameterMap();
        Map<String, String[]> filteredMap = new HashMap<String, String[]>(
                rawMap.size());
        Set<String> keys = rawMap.keySet();
        for (String key : keys) {
            String[] rawValue = rawMap.get(key);
            String[] filteredValue = filterStringArray(rawValue);
            filteredMap.put(key, filteredValue);
        }
        return filteredMap;
    }

    protected String[] filterStringArray(String[] rawValue) {
        String[] filteredArray = new String[rawValue.length];
        for (int i = 0; i < rawValue.length; i++) {
            filteredArray[i] = filterParamString(rawValue[i]);
        }
        return filteredArray;
    }

    @Override
    public String[] getParameterValues(String name) {
        String[] rawValues = super.getParameterValues(name);
        if (rawValues == null)
            return null;
        String[] filteredValues = new String[rawValues.length];
        for (int i = 0; i < rawValues.length; i++) {
            filteredValues[i] = filterParamString(rawValues[i]);
        }
        return filteredValues;
    }

    @Override
    public BufferedReader getReader() throws IOException {
        if(body == null) {
            return super.getReader();
        }
        return new BufferedReader(new InputStreamReader(getInputStream()));
    }

    @Override
    public ServletInputStream getInputStream() throws IOException {
        if(body == null) {
            return super.getInputStream();
        }

        final ByteArrayInputStream bais = new ByteArrayInputStream(body);
        return new ServletInputStream() {
            @Override
            public int read() throws IOException {
                return bais.read();
            }
        };
    }

    public void filterJsonContext(){
        try {
            String jsonContent = IOUtils.toString(this.getInputStream());
            jsonContent =  this.filterParamString(jsonContent);
            body = jsonContent.getBytes();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }


    protected String filterParamString(String rawValue) {
        if (rawValue == null) {
            return null;
        }
        if (filterXSS()) {
            rawValue = rawValue.replaceAll(XSS_REGEX, "-");
        }
        if (filterSQL()) {
            rawValue = rawValue.replaceAll(SQL_REGEX, "-");
        }
        if(isFilterWhite()){
            rawValue = rawValue.replaceAll(EVENTS, "*");
        }
        if(isFilterHttpXss()){
            rawValue = rawValue.replaceAll(HTTPEVENTS, "*");
        }
        return rawValue;
    }

//  @Override
//  public Cookie[] getCookies() {
//      Cookie[] existingCookies =  ((HttpServletRequest) getRequest()).getCookies();
//      if (existingCookies != null) {
//          for (int i = 0; i < existingCookies.length; ++i) {
//              Cookie cookie = existingCookies[i];
//              cookie.setValue(filterParamString(cookie.getValue()));
//          }
//      }
//      return existingCookies;
//  }

    @Override
    public String getQueryString() {
        return filterParamString(super.getQueryString());
    }

    protected boolean filterXSS() {
        return filterXSS;
    }

    protected boolean filterSQL() {
        return filterSQL;
    }

    public boolean isFilterWhite() {
        return filterWhite;
    }

    public void setFilterXSS(boolean filterXSS) {
        this.filterXSS = filterXSS;
    }
    public void setFilterSQL(boolean filterSQL) {
        this.filterSQL = filterSQL;
    }
    public void setFilterWhite(boolean filterWhite) {
        this.filterWhite = filterWhite;
    }


}
filter过滤器

public class InjectionAttackFilter implements Filter {
    private static final String X_FRAME_VALUE = "SAMEORIGIN";
    private static final String X_FRAME_HEADER = "X-FRAME-OPTIONS";
    public static final String FILTER_XSS_PARAM_NAME = "filter_xss";
    public static final String FILTER_SQL_INJECTION_PARAM_NAME = "filter_sql_injection";
    public static final String CLICK_JACKING_HEADER = "click_jacking_header";
    public static final String WHITE_LIST = "white_list";
    public static final String HTTP_XSS = "filter_HttpXss";
    boolean filterXSS = true;
    boolean filterSQL = true;
    boolean clickJacking = false;
    boolean filterHttpXss = false;
    private String whiteList = "";
    private Logger log = Logger.getLogger(InjectionAttackFilter.class);
    @Override
    public void destroy() {
    }

    @Override
    public void doFilter(ServletRequest servletRequest,
            ServletResponse servletResponse, FilterChain filterChain)
            throws IOException, ServletException {

        if (isFilter(servletRequest)) {
            InjectionAttackWrapper wrapper = new InjectionAttackWrapper(
                    (HttpServletRequest) servletRequest, false, false,true,filterHttpXss);

            filterChain.doFilter(wrapper, servletResponse);
        } else {
            String contentType = servletRequest.getContentType();
            if (StringUtils.isNotBlank(contentType)) {
                InjectionAttackWrapper wrapper = new InjectionAttackWrapper(
                        (HttpServletRequest) servletRequest, filterXSS, filterSQL,false,filterHttpXss);
                if (StringUtils.indexOf(contentType, "application/json") >= 0) {
                    wrapper.setFilterXSS(false);
                    wrapper.setFilterSQL(true);
                    wrapper.setFilterWhite(true);
                    wrapper.filterJsonContext();
                    filterClickJack(servletResponse);
                    filterChain.doFilter(wrapper, servletResponse);
                } else if (StringUtils.indexOf(contentType, "application/x-www-form-urlencoded") >= 0) {
                    filterChain.doFilter(wrapper, servletResponse);
                }

            }else{
                filterChain.doFilter(servletRequest, servletResponse);
            }
        }
    }

    private boolean isFilter(ServletRequest servletRequest) {
        String[] wlist = this.getWhiteList();
        boolean flag = false;
        if (wlist != null && wlist.length > 0) {
            HttpServletRequest reruest = (HttpServletRequest) servletRequest;
            for (int i = 0; i < wlist.length; i++) {
                // if(StringUtils.startsWith(reruest.getRequestURI(),wlist[i])){
                if (StringUtils.indexOf(reruest.getRequestURI(),
                        StringUtils.replace(wlist[i], "*", "")) >= 0) {
                    flag = true;
                    break;
                }
            }
        }
        return flag;
    }

    private void filterClickJack(ServletResponse servletResponse) {
        if (clickJacking) {
            if (servletResponse instanceof HttpServletResponse) {
                HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
                if (!httpServletResponse.containsHeader(X_FRAME_HEADER)) {
                    httpServletResponse
                            .addHeader(X_FRAME_HEADER, X_FRAME_VALUE);
                }
            }
        }
    }

    private String[] getWhiteList() {
        return StringUtils.split(whiteList, ",");
    }

    @Override
    public void init(FilterConfig config) throws ServletException {
        String filterXSSParam = config.getInitParameter(FILTER_XSS_PARAM_NAME);
        String filterSQLParam = config
                .getInitParameter(FILTER_SQL_INJECTION_PARAM_NAME);
        String clickJackingParam = config
                .getInitParameter(CLICK_JACKING_HEADER);
        String clickHttpXss = config
                .getInitParameter(HTTP_XSS);
        whiteList = config.getInitParameter(WHITE_LIST);
        filterXSS = new Boolean(filterXSSParam);
        filterSQL = new Boolean(filterSQLParam);
        clickJacking = new Boolean(clickJackingParam);
        filterHttpXss = new Boolean(StringUtils.trimToEmpty(clickHttpXss));

    }

}
相关标签: 安全