即时焦点：SpringBoot Xss漏洞修复

手机

iphone11大小尺寸是多少？苹果iPhone11和iPhone13的区别是什么？

警方通报辅警执法直播中被撞飞：犯罪嫌疑人已投案

家电

即时焦点：SpringBoot Xss漏洞修复

2023-01-11 17:08:52 来源：博客园

(资料图片)

原文链接:https://www.cnblogs.com/zhangruifeng/p/16082741.html

1、过滤SQL、JS脚本

1.1、添加pom依赖

       org.apache.commons       commons-text       1.4

1.2、创建XssAndSqlHttpServletRequestWrapper

package cn.vantee.util;import org.apache.commons.text.StringEscapeUtils;import org.springframework.util.StringUtils;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;/** * @author ：rayfoo@qq.com * @date ：Created in 2022/3/31 16:46 * @description：xss过滤 * @modified By： * @version: 1.0.0 */public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {    private HttpServletRequest request;    public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {        super(request);        this.request = request;    }    /**     * 假如有有html 代码是自己传来的  需要设定对应的name 不走StringEscapeUtils.escapeHtml4(value) 过滤     */    @Override    public String getParameter(String name) {        String value = request.getParameter(name);        if (!StringUtils.isEmpty(value)) {            value = StringEscapeUtils.escapeHtml4(value);        }        return value;    }    @Override    public String[] getParameterValues(String name) {        String[] parameterValues = super.getParameterValues(name);        if (parameterValues == null) {            return null;        }        for (int i = 0; i < parameterValues.length; i++) {            String value = parameterValues[i];            parameterValues[i] = StringEscapeUtils.escapeHtml4(value);        }        return parameterValues;    }}

1.3、创建XssStringJsonSerializer

package cn.vantee.util;import com.fasterxml.jackson.core.JsonGenerator;import com.fasterxml.jackson.databind.JsonSerializer;import com.fasterxml.jackson.databind.SerializerProvider;import org.apache.commons.text.StringEscapeUtils;import java.io.IOException;/** * @author ：rayfoo@qq.com * @date ：Created in 2022/3/31 16:47 * @description：xss过滤 * @modified By： * @version: 1.0.0 */public class XssStringJsonSerializer extends JsonSerializer {    @Override    public Class handledType() {        return String.class;    }    /**     * 假如有有html 代码是自己传来的  需要设定对应的name 不走StringEscapeUtils.escapeHtml4(value) 过滤     */    @Override    public void serialize(String value, JsonGenerator jsonGenerator, SerializerProvider serializerProvider)            throws IOException {        if (value != null) {            String encodedValue = StringEscapeUtils.escapeHtml4(value);            jsonGenerator.writeString(encodedValue);        }    }}

1.4、创建过滤器

package cn.vantee.filter;import cn.vantee.util.XssAndSqlHttpServletRequestWrapper;import cn.vantee.util.XssStringJsonSerializer;import com.fasterxml.jackson.databind.ObjectMapper;import com.fasterxml.jackson.databind.module.SimpleModule;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Primary;import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;import org.springframework.stereotype.Component;import javax.servlet.*;import javax.servlet.annotation.WebFilter;import javax.servlet.http.HttpServletRequest;import java.io.IOException;/** * @author ：rayfoo@qq.com * @date ：Created in 2022/3/31 10:53 * @description：xss过滤 * @modified By： * @version: 1.0.0 */@WebFilter(filterName = "xssFilter", urlPatterns = "/*", asyncSupported = true)@Componentpublic class XssFilter implements Filter {    @Override    public void destroy() {        // TODO Auto-generated method stub    }    @Override    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)            throws IOException, ServletException {        // TODO Auto-generated method stub        HttpServletRequest req = (HttpServletRequest) request;        XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(req);        chain.doFilter(xssRequestWrapper, response);    }    @Override    public void init(FilterConfig arg0) throws ServletException {        // TODO Auto-generated method stub    }    @Bean    @Primary    public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {        // 解析器        ObjectMapper objectMapper = builder.createXmlMapper(false).build();        // 注册xss解析器        SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer");        xssModule.addSerializer(new XssStringJsonSerializer());        objectMapper.registerModule(xssModule);        // 返回        return objectMapper;    }}

@Primary 注解优先走这个Bean方法。asyncSupported = true 配置支持异步，sync-supported是servlet 3.0后推出的新特性

5、验证

        Title

package cn.vantee.controller;import cn.vantee.service.TestService;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.web.bind.annotation.GetMapping;import org.springframework.web.bind.annotation.RestController;/** * @author ：rayfoo@qq.com * @date ：Created in 2022/3/29 14:53 * @description：测试Controller * @modified By： * @version: 1.0.0 */@RestControllerpublic class TestController {    @Autowired    public TestService testService;    @GetMapping("/test")    public String test(String params){      System.out.println(params);return params;    }}

输入：

<script>hello world

输出：

<script>hello world</scrpit>

2、设置HttpOnly

2.1、什么是HttpOnly

如果cookie中设置了HttpOnly属性，那么通过js脚本将无法读取到cookie信息，这样能有效的防止XSS攻击，窃取cookie内容，这样就增加了cookie的安全性，即便是这样，也不要将重要信息存入cookie。XSS全称Cross SiteScript，跨站脚本攻击，是Web程序中常见的漏洞，XSS属于被动式且用于客户端的攻击方式，所以容易被忽略其危害性。其原理是攻击者向有XSS漏洞的网站中输入(传入)恶意的HTML代码，当其它用户浏览该网站时，这段HTML代码会自动执行，从而达到攻击的目的。如，盗取用户Cookie、破坏页面结构、重定向到其它网站等。

2.2、如何设置

案例：

response.addHeader("Set-Cookie", "username=123456; Path=/; HttpOnly")

关键词：