6.22筆記
阿新 • • 發佈:2021-06-23
xss攻擊
跨指令碼攻擊,攻擊者會在web頁面插入惡意的script程式碼,當用戶訪問的時候就會執行這個script程式碼達到攻擊使用者的目的
分為(解析惡意程式碼的幾種情況):
-
反射型:
當用戶點選xxs 攻擊惡意連結時候,頁面會跳轉到 http://localhost:3001/xss 攻擊者預先準備的頁面,然後會返回攻擊者準備的js指令碼,該js指令碼就在瀏覽器中執行了 -
儲存型
主要是將惡意程式碼上傳或儲存到伺服器中,下次只要受害者瀏覽包含此惡意程式碼的頁面就會執行惡意程式碼
-
DOM-based
永續性xss攻擊
SpringBoot中的應用:
application.yml:
# 防止XSS攻擊 xss: # 過濾開關 enabled: false # 排除連結(多個用逗號分隔) excludes: # 匹配連結 urlPatterns: /user/*
FilterConfig:
import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import javax.servlet.DispatcherType; import java.util.HashMap; import java.util.Map; /** * Filter配置 * * @author xiaofei */ @Configuration public class FilterConfig { @Value("${xss.enabled}") private String enabled; @Value("${xss.excludes}") private String excludes; @Value("${xss.urlPatterns}") private String urlPatterns; @SuppressWarnings({"rawtypes", "unchecked"}) @Bean public FilterRegistrationBean xssFilterRegistration() { FilterRegistrationBean registration = new FilterRegistrationBean(); registration.setDispatcherTypes(DispatcherType.REQUEST); registration.setFilter(new XssFilter()); registration.setName("xssFilter"); registration.setOrder(Integer.MAX_VALUE); Map<String, String> initParameters = new HashMap<String, String>(); initParameters.put("excludes", excludes); initParameters.put("enabled", enabled); registration.setInitParameters(initParameters); return registration; } }
XssFilter:
import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; /** * 防止XSS攻擊的過濾器 * * @author xiaofei */ public class XssFilter implements Filter { /** * 排除連結 */ public List<String> excludes = new ArrayList<>(); /** * xss過濾開關 */ public boolean enabled = false; @Override public void init(FilterConfig filterConfig) throws ServletException { String tempExcludes = filterConfig.getInitParameter("excludes"); String tempEnabled = filterConfig.getInitParameter("enabled"); if (StringUtils.isNotEmpty(tempExcludes)) { String[] url = tempExcludes.split(","); for (int i = 0; url != null && i < url.length; i++) { excludes.add(url[i]); } } if (StringUtils.isNotEmpty(tempEnabled)) { enabled = Boolean.valueOf(tempEnabled); } } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; if (handleExcludeURL(req, resp)) { chain.doFilter(request, response); return; } XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request); chain.doFilter(xssRequest, response); } private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response) { if (!enabled) { return true; } if (excludes == null || excludes.isEmpty()) { return false; } String url = request.getServletPath(); for (String pattern : excludes) { Pattern p = Pattern.compile("^" + pattern); Matcher m = p.matcher(url); if (m.find()) { return true; } } return false; } @Override public void destroy() { } }