- 目前对XSS漏洞要求修复,考虑通过拦截器来统一处理request的参数,对XSS相关的js脚本进行过滤替换,从来来实现漏洞修复。
- 但是HttpServletRequest中的参数是无法改变的,若是手动执行修改request中的参数,则会抛出异常。我们可以利用HttpServletRequestWrapper包装HttpServletRequest,在Wrapper中实现参数的修改,然后用HttpServletRequestWrapper替换HttpServletRequest,这样就实现了参数的修改设置。
- 下面是实现步骤:
- 继承HttpServletRequestWrapper,实现一个自己的XSSRequestWrapper来更改request的参数。
我们在servlet中通过request来获取参数的方法大概有几个:getParameter、getAttribute、getParameterMap等等,所以必须在XSSRequestWrapper里面重写这些方法,才能够在servlet中调用上面的方法来获取参数的时候,对参数中的XSS敏感脚本进行处理,在这里我之重写了这三个方法,如果你们有用到其他方法来获取参数,请重写这些方法以达到修改参数的目的
package ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
public class XSSRequestWrapper extends HttpServletRequestWrapper {
private Map<String, String[]> parameterMap; // 所有参数的Map集合
private HttpServletRequest request;
public XSSRequestWrapper(HttpServletRequest request) {
super(request);
parameterMap = ();
this.request = request;
}
/* 获取所有参数名
*
* @return 返回所有参数名
*/
@Override
public Enumeration<String> getParameterNames() {
Vector<String> vector = new Vector<String>(());
return ();
}
@Override
public ServletInputStream getInputStream() {
String bizBindMsg = null;
ServletInputStream stream = null;
try {
stream = ();
bizBindMsg = (stream, "UTF-8");
} catch (IOException e) {
();
}
try {
bizBindMsg = ((), "UTF-8");
} catch (UnsupportedEncodingException e) {
();
}
//("RequestWrapper接收到的请求为: " + bizBindMsg);
bizBindMsg = stripXSS(bizBindMsg);
/**
* 将解密后的明文串放到buffer数组中
*/
byte[] buffer = null;
try {
buffer = ("UTF-8");
} catch (UnsupportedEncodingException e) {
();
}
final ByteArrayInputStream bais = new ByteArrayInputStream(buffer);
ServletInputStream newStream = new ServletInputStream() {
@Override
public int read() throws IOException {
return ();
}
};
return newStream;
}
/* @Override
public String[] getParameterValues(String parameter) {
String[] values = (parameter);
if (values == null) {
return null;
}
int count = ;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = (values[i]);
encodedValues[i] = stripXSS(encodedValues[i]);
}
("2222参数名:"+parameter+"的原始值为"+values+",替换后为:"+encodedValues);
return encodedValues;
}*/
@Override
public String getParameter(String parameter) {
String[] value = parameterMap.get(parameter);
if (value != null){
//("参数名:"+parameter+"的原始值为"+value[0]+",替换后为:"+stripXSS(value[0]));
return stripXSS(value[0]);
}
return null;
}
/**
* 获取attribute,特殊字符过滤
*/
@Override
public Object getAttribute(String parameter) {
Object value = (parameter);
if (value != null && value instanceof String) {
stripXSS((String) value);
//("参数名33:"+parameter+"的原始值为"+value+",替换后为:"+stripXSS((String) value));
return stripXSS((String) value);
}else{
return value;
}
}
@Override
public String getHeader(String name) {
String value = (name);
return stripXSS(value);
}
/**
* 获取指定参数名的所有值的数组,如:checkbox的所有数据
* 接收数组变量 ,如checkobx类型
*/
@Override
public String[] getParameterValues(String name) {
return parameterMap.get(name);
}
@Override
public Map<String, String[]> getParameterMap() {
Map<String, String[]> newMap = new HashMap<String, String[]>();
for (Entry<String, String[]> entry : ()) {
((), new String[]{stripXSS(()[0])});
}
return newMap;
}
public void setParameterMap(Map<String, String[]> parameterMap) {
this.parameterMap = parameterMap;
}
private String stripXSS(String value) {
if (value != null) {
value = value.replaceAll("", "");
Pattern scriptPattern = ("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
value = (value).replaceAll("");
scriptPattern = ("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
Pattern.CASE_INSENSITIVE | | );
value = (value).replaceAll("");
scriptPattern = ("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
Pattern.CASE_INSENSITIVE | | );
value = (value).replaceAll("");
scriptPattern = ("</script>", Pattern.CASE_INSENSITIVE);
value = (value).replaceAll("");
scriptPattern = ("<script(.*?)>",
Pattern.CASE_INSENSITIVE | | );
value = (value).replaceAll("");
scriptPattern = ("eval\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | | );
value = (value).replaceAll("");
scriptPattern = ("expression\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | | );
value = (value).replaceAll("");
scriptPattern = ("javascript:", Pattern.CASE_INSENSITIVE);
value = (value).replaceAll("");
scriptPattern = ("vbscript:", Pattern.CASE_INSENSITIVE);
value = (value).replaceAll("");
scriptPattern = ("onload(.*?)=",
Pattern.CASE_INSENSITIVE | | );
value = (value).replaceAll("");
scriptPattern = ("alert\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | | );
value = (value).replaceAll("");
scriptPattern = ("(.*?)=",
Pattern.CASE_INSENSITIVE | | );
value = (value).replaceAll("");
scriptPattern = ("unescape\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | | );
value = (value).replaceAll("");
scriptPattern = ("execscript\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | | );
value = (value).replaceAll("");
scriptPattern = ("msgbox\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | | );
value = (value).replaceAll("");
scriptPattern = ("confirm\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | | );
value = (value).replaceAll("");
scriptPattern = ("prompt\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | | );
value = (value).replaceAll("");
}
return value;
}
private String cleanXSS(String value) {
// You'll need to remove the spaces from the html entities below
value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
value = value.replaceAll("'", "& #39;");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
return value;
}
}
2.编写过滤器XssFilter
package ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
public class XssFilter implements Filter{
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
XSSRequestWrapper xSSRequestWrapper = new XSSRequestWrapper((HttpServletRequest) request);
(xSSRequestWrapper, response);
}
@Override
public void destroy() {
}
}
3.配置,在里面增加过滤器
<!-- 存储型xss漏洞修复 -->
<filter>
<filter-name>XSSFiler2</filter-name>
<filter-class>
</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFiler2</filter-name>
<url-pattern>*.e</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>XSSFiler2</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>这样可以有效的解决XSS漏洞了。
最后说一下在解决此漏洞的过程中出现的一些问题和解决思路
- 刚开始在XSSRequestWrapper中我只是实现了getParameter方法,这样就导致有的方法能替换参数中的脚本,有的不能替换,后来发现在servlet中获取参数的方法是有多个的,所以如果出现有的参数不能被处理的时候,就应该是在servlet中通过request获取参数的方法在XSSRequestWrapper中并没有实现引起的。