SpringBoot Xss漏洞修復
阿新 • • 發佈:2022-03-31
SpringBoot Xss漏洞修復
xss是什麼就不贅述了,你看到這裡肯定也知道了。SpringBoot修復Xss漏洞有兩種方案:
1、過濾SQL、JS指令碼
1.1、新增pom依賴
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
<version>1.4</version>
</dependency>
1.2、建立XssAndSqlHttpServletRequestWrapper
package cn.vantee.util; import org.apache.commons.text.StringEscapeUtils; import org.springframework.util.StringUtils; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; /** * @author :[email protected] * @date :Created in 2022/3/31 16:46 * @description:xss過濾 * @modified By: * @version: 1.0.0 */ public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper { private HttpServletRequest request; public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) { super(request); this.request = request; } /** * 假如有有html 程式碼是自己傳來的 需要設定對應的name 不走StringEscapeUtils.escapeHtml4(value) 過濾 */ @Override public String getParameter(String name) { String value = request.getParameter(name); if (!StringUtils.isEmpty(value)) { value = StringEscapeUtils.escapeHtml4(value); } return value; } @Override public String[] getParameterValues(String name) { String[] parameterValues = super.getParameterValues(name); if (parameterValues == null) { return null; } for (int i = 0; i < parameterValues.length; i++) { String value = parameterValues[i]; parameterValues[i] = StringEscapeUtils.escapeHtml4(value); } return parameterValues; } }
1.3、建立XssStringJsonSerializer
package cn.vantee.util; import com.fasterxml.jackson.core.JsonGenerator; import com.fasterxml.jackson.databind.JsonSerializer; import com.fasterxml.jackson.databind.SerializerProvider; import org.apache.commons.text.StringEscapeUtils; import java.io.IOException; /** * @author :[email protected] * @date :Created in 2022/3/31 16:47 * @description:xss過濾 * @modified By: * @version: 1.0.0 */ public class XssStringJsonSerializer extends JsonSerializer<String> { @Override public Class<String> handledType() { return String.class; } /** * 假如有有html 程式碼是自己傳來的 需要設定對應的name 不走StringEscapeUtils.escapeHtml4(value) 過濾 */ @Override public void serialize(String value, JsonGenerator jsonGenerator, SerializerProvider serializerProvider) throws IOException { if (value != null) { String encodedValue = StringEscapeUtils.escapeHtml4(value); jsonGenerator.writeString(encodedValue); } } }
1.4、建立過濾器
package cn.vantee.filter;
import cn.vantee.util.XssAndSqlHttpServletRequestWrapper;
import cn.vantee.util.XssStringJsonSerializer;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.module.SimpleModule;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Primary;
import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* @author :[email protected]
* @date :Created in 2022/3/31 10:53
* @description:xss過濾
* @modified By:
* @version: 1.0.0
*/
@WebFilter(filterName = "xssFilter", urlPatterns = "/*", asyncSupported = true)
@Component
public class XssFilter implements Filter {
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
// TODO Auto-generated method stub
HttpServletRequest req = (HttpServletRequest) request;
XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(req);
chain.doFilter(xssRequestWrapper, response);
}
@Override
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
}
@Bean
@Primary
public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {
// 解析器
ObjectMapper objectMapper = builder.createXmlMapper(false).build();
// 註冊xss解析器
SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer");
xssModule.addSerializer(new XssStringJsonSerializer());
objectMapper.registerModule(xssModule);
// 返回
return objectMapper;
}
}
@Primary 註解優先走這個Bean方法。
asyncSupported = true 配置支援非同步,sync-supported是servlet 3.0後推出的新特性
5、驗證
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<form action="/test">
<input type="text" name="params">
<input type="submit">
</form>
</body>
</html>
package cn.vantee.controller;
import cn.vantee.service.TestService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
/**
* @author :[email protected]
* @date :Created in 2022/3/29 14:53
* @description:測試Controller
* @modified By:
* @version: 1.0.0
*/
@RestController
public class TestController {
@Autowired
public TestService testService;
@GetMapping("/test")
public String test(String params){
System.out.println(params);
return params;
}
}
輸入:
<script>hello world</scrpit>
輸出:
<script>hello world</scrpit>
2、設定HttpOnly
2.1、什麼是HttpOnly
如果cookie中設定了HttpOnly屬性,那麼通過js指令碼將無法讀取到cookie資訊,這樣能有效的防止XSS攻擊,竊取cookie內容,這樣就增加了cookie的安全性,即便是這樣,也不要將重要資訊存入cookie。XSS全稱Cross SiteScript,跨站指令碼攻擊,是Web程式中常見的漏洞,XSS屬於被動式且用於客戶端的攻擊方式,所以容易被忽略其危害性。其原理是攻擊者向有XSS漏洞的網站中輸入(傳入)惡意的HTML程式碼,當其它使用者瀏覽該網站時,這段HTML程式碼會自動執行,從而達到攻擊的目的。如,盜取使用者Cookie、破壞頁面結構、重定向到其它網站等。
2.2、如何設定
案例:
response.addHeader("Set-Cookie", "username=123456; Path=/; HttpOnly")