XSS ,全名:cross-site scripting(跨站點(diǎn)腳本),是當(dāng)前 web 應(yīng)用中最危險(xiǎn)和最普遍的漏洞之一。攻擊者嘗試注入惡意腳本代碼(常js腳本)到受信任的網(wǎng)站上執(zhí)行惡意操作,用戶使用瀏覽器瀏覽含有惡意腳本頁(yè)面時(shí),會(huì)執(zhí)行該段惡意腳本,進(jìn)而影響用戶(比如關(guān)不完的網(wǎng)站、盜取用戶的 cookie 信息從而偽裝成用戶去操作)等等。
它與 SQL 注入很類(lèi)似,同樣是通過(guò)注入惡意指令來(lái)進(jìn)行攻擊。但 SQL 注入是在服務(wù)器端上執(zhí)行的,而 XSS 攻擊是在客戶端上執(zhí)行的,這點(diǎn)是他們本質(zhì)區(qū)別。
其實(shí),個(gè)人感覺(jué)對(duì)于xss攻擊不必區(qū)分究竟是反射型XSS、存儲(chǔ)型XSS還是DOM Based XSS,只需要知道如何去防護(hù)。而防護(hù)的最有效的措施就是過(guò)濾,對(duì)前端頁(yè)面提交到后臺(tái)的內(nèi)容進(jìn)行過(guò)濾。具體如下:
1.解決方法一
攔截所有的請(qǐng)求參數(shù),對(duì)請(qǐng)求參數(shù)中包含特殊字符'<‘或'>'進(jìn)行過(guò)濾。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
package com.haier.openplatform.srm.base.filter;import java.io.IOException;import java.util.Iterator;import java.util.Map;import java.util.Set;import javax.servlet.FilterChain;import javax.servlet.ServletException;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;import javax.servlet.http.HttpServletResponse;import org.springframework.web.filter.OncePerRequestFilter;public class StringFilter extends OncePerRequestFilter{@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)throws ServletException, IOException {chain.doFilter(new StringFilterRequest((HttpServletRequest)request), response);}}class StringFilterRequest extends HttpServletRequestWrapper {public StringFilterRequest(HttpServletRequest request) {super(request);}@Overridepublic String getParameter(String name) {// 返回值之前 先進(jìn)行過(guò)濾return filterDangerString(super.getParameter(name));}@Overridepublic String[] getParameterValues(String name) {// 返回值之前 先進(jìn)行過(guò)濾String[] values = super.getParameterValues(name);if(values==null){return null;}for (int i = 0; i < values.length; i++) {values[i] = filterDangerString(values[i]);}return values;}@Overridepublic Map getParameterMap() {Map keys = super.getParameterMap();Set set = keys.entrySet();Iterator iters = set.iterator();while (iters.hasNext()) {Object key = iters.next();Object value = keys.get(key);keys.put(key, filterDangerString((String[]) value));}return keys;}/*@Overridepublic Object getAttribute(String name) {// TODO Auto-generated method stubObject object = super.getAttribute(name);if (object instanceof String) {return filterDangerString((String) super.getAttribute(name));} elsereturn object;}*/public String filterDangerString(String value) {if (value == null) {return null;}// value = value.replaceAll("\\{", "{");value = value.replaceAll("<", "<");value = value.replaceAll(">", ">");// value = value.replaceAll("\t", " ");// value = value.replaceAll("\r\n", "\n");// value = value.replaceAll("\n", "<br/>");// value = value.replaceAll("'", "'");// value = value.replaceAll("\\\\", "\");// value = value.replaceAll("\"", """);// value = value.replaceAll("\\}", "﹜").trim();return value;}public String[] filterDangerString(String[] value) {if (value == null) {return null;}for (int i = 0; i < value.length; i++) {String val = filterDangerString(value[i]);value[i] = val;}return value;}} |
web.xm中的過(guò)濾器配置:
|
1
2
3
4
5
6
7
8
9
|
<filter> <filter-name>StringFilter</filter-name> <filter-class>com.xxx.base.filter.StringFilter</filter-class></filter><filter-mapping> <filter-name>StringFilter</filter-name> <url-pattern>/*</url-pattern></filter-mapping> |
2.解決方法二(轉(zhuǎn),未驗(yàn)證)
2.1前端過(guò)濾
2.1.1 javascript 原生方法
|
1
2
3
4
5
6
7
8
9
10
11
12
|
//轉(zhuǎn)義 元素的innerHTML內(nèi)容即為轉(zhuǎn)義后的字符 function htmlEncode ( str ) { var ele = document.createElement('span'); ele.appendChild( document.createTextNode( str ) ); return ele.innerHTML; } //解析 function htmlDecode ( str ) { var ele = document.createElement('span'); ele.innerHTML = str; return ele.textContent; } |
2.1.2 JQuery 方法
|
1
2
3
4
5
6
|
function htmlEncodeJQ ( str ) { return $('<span/>').text( str ).html(); } function htmlDecodeJQ ( str ) { return $('<span/>').html( str ).text(); } |
2.1.3 調(diào)用方法
|
1
2
3
|
var msg1= htmlEncodeJQ('<script>alert('test');</script>');var msg1= htmlEncode('<script>alert('test');</script>');//結(jié)果變成:<script>alert('test');</script> |
2.2 后端過(guò)濾
2.2.1 java 一些框架自動(dòng)工具類(lèi),
比如:org.springframework.web.util.HtmlUtils
|
1
2
3
4
5
6
7
8
|
public static void main(String[] args) { String content = "<script>alert('test');</script>"; System.out.println("content="+content); content = HtmlUtils.htmlEscape(content); System.out.println("content="+content); content = HtmlUtils.htmlUnescape(content); System.out.println("content="+content);} |
但這樣有個(gè)問(wèn)題,就是它全部的html標(biāo)簽都不解析了。
可能這不是你想要的,你想要的是一部分解析,一部分不解析。好看下面。
2.2.2 自己用正則來(lái)完成你的需求
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
package top.lrshuai.blog.util;import java.util.regex.Matcher;import java.util.regex.Pattern;/** * * @author lrshuai * @since 2017-10-13 * @version 0.0.1 */public class HTMLUtils {/** * 過(guò)濾所有HTML 標(biāo)簽 * @param htmlStr * @return */public static String filterHTMLTag(String htmlStr) { //定義HTML標(biāo)簽的正則表達(dá)式 String reg_html="<[^>]+>"; Pattern pattern=Pattern.compile(reg_html,Pattern.CASE_INSENSITIVE); Matcher matcher=pattern.matcher(htmlStr); htmlStr=matcher.replaceAll(""); //過(guò)濾html標(biāo)簽 return htmlStr;}/** * 過(guò)濾標(biāo)簽,通過(guò)標(biāo)簽名 * @param htmlStr * @param tagName * @return */public static String filterTagByName(String htmlStr,String tagName) { String reg_html="<"+tagName+"[^>]*?>[\\s\\S]*?<\\/"+tagName+">"; Pattern pattern=Pattern.compile(reg_html,Pattern.CASE_INSENSITIVE); Matcher matcher=pattern.matcher(htmlStr); htmlStr=matcher.replaceAll(""); //過(guò)濾html標(biāo)簽 return htmlStr;}/** * 過(guò)濾標(biāo)簽上的 style 樣式 * @param htmlStr * @return */public static String filterHTMLTagInStyle(String htmlStr) { String reg_html="style=('|\")(.*?)('|\")"; Pattern pattern=Pattern.compile(reg_html,Pattern.CASE_INSENSITIVE); Matcher matcher=pattern.matcher(htmlStr); htmlStr=matcher.replaceAll(""); //過(guò)濾html標(biāo)簽 return htmlStr;}/** * 替換表情 * @param htmlStr * @param tagName * @return */public static String replayFace(String htmlStr) { String reg_html="\\[em_\\d{1,}\\]"; Pattern pattern =Pattern.compile(reg_html,Pattern.CASE_INSENSITIVE); Matcher matcher=pattern.matcher(htmlStr); if(matcher.find()) { matcher.reset(); while(matcher.find()) { String num = matcher.group(0); String number=num.substring(num.lastIndexOf('_')+1, num.length()-1); htmlStr = htmlStr.replace(num, "<img src='/face/arclist/"+number+".gif' border='0' />"); } } return htmlStr;} public static void main(String[] args) { String html = "<script>alert('test');</script><img src='/face/arclist/5.gif' border='0' /><div style='position:fixs;s'></div><style>body{color:#fff;}</style><Style>body{color:#fff;}</Style><STYLE>body{color:#fff;}</STYLE>"; System.out.println("html="+html); html = HTMLUtils.filterTagByName(html, "style"); System.out.println("html="+html); html = HTMLUtils.filterTagByName(html, "script"); System.out.println("html="+html); html = HTMLUtils.filterHTMLTagInStyle(html); System.out.println("html="+html); }} |
java 過(guò)濾特殊字符串升級(jí)版
ASCII碼中除了32之外還有160這個(gè)特殊的空格 db中的空格 不間斷空格->頁(yè)面上的 所產(chǎn)生的空格;
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
/** * 過(guò)濾特殊字符 * @param str * @return * * \u00A0 特殊的空格 */ public static String stringFilter (String str){ String regEx="[\\u00A0\\s\"`~!@#$%^&*()+=|{}':;',\\[\\].<>/?~!@#¥%……&*()——+|{}【】‘;:”“'。,、?]"; Pattern p = Pattern.compile(regEx); Matcher m = p.matcher(str); return m.replaceAll("").trim(); } |
以上為個(gè)人經(jīng)驗(yàn),希望能給大家一個(gè)參考,也希望大家多多支持服務(wù)器之家。
原文鏈接:https://blog.csdn.net/weixin_43975611/article/details/101537129
