Struts2修復xss攻擊
阿新 • • 發佈:2018-03-07
struts2 Xss攻擊預防概述
struts版本:2.3.4.1
tomcat版本:6
第一種修復方法
參考文章:https://yq.aliyun.com/articles/7126 (不過安全按照該方法無法修復,只能參考思路)
-
重寫StrutsPrepareAndExecuteFilter,註冊自定義Dispatcher
public class MStrutsPrepareAndExecuteFilter extends StrutsPrepareAndExecuteFilter { @Override public void init(FilterConfig filterConfig) throws ServletException { InitOperations init = new InitOperations(); try { FilterHostConfig config = new FilterHostConfig(filterConfig); init.initLogging(config); Dispatcher dispatcher = initDispatcher(config); init.initStaticContentLoader(config, dispatcher); prepare = new PrepareOperations(filterConfig.getServletContext(), dispatcher); execute = new ExecuteOperations(filterConfig.getServletContext(), dispatcher); this.excludedPatterns = init.buildExcludedPatternsList(dispatcher); postInit(dispatcher, filterConfig); } finally { init.cleanup(); } } /** * Creates and initializes the dispatcher */ public Dispatcher initDispatcher( HostConfig filterConfig ) { Dispatcher dispatcher = createDispatcher(filterConfig); dispatcher.init(); return dispatcher; } /** * Create a {@link Dispatcher} */ private Dispatcher createDispatcher(HostConfig filterConfig) { Map<String, String> params = new HashMap<String, String>(); for (Iterator e = filterConfig.getInitParameterNames(); e.hasNext();) { String name = (String) e.next(); String value = filterConfig.getInitParameter(name); params.put(name, value); } return new MDispatcher(filterConfig.getServletContext(), params); }
- 寫自定義Dispatcher,繼承Dispatcher,重寫createContextMap方法,將 Map params = new HashMap(request.getParameterMap());改行修改為 Map params = new HashMap(new ParamFormatWarp(request).getParameterMap());
-
ParamFormatWarp類參考如下
public class ParamFormatWarp extends HttpServletRequestWrapper { public ParamFormatWarp(HttpServletRequest request) { super(request); } private String clearXss(String value) { if (value == null || "".equals(value)) { return value; } value = stripXSSAndSql(value); return value; } /** * * 防止xss跨腳本攻擊(替換,根據實際情況調整) */ public String stripXSSAndSql(String value) { if (value != null) { Pattern scriptPattern = Pattern.compile("<[\r\n| | ]*script[\r\n| | ]*>(.*?)</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); } return value; } @Override public Map getParameterMap() { HashMap paramMap = (HashMap) super.getParameterMap(); paramMap = (HashMap) paramMap.clone(); for (Iterator iterator = paramMap.entrySet().iterator(); iterator.hasNext(); ) { Map.Entry entry = (Map.Entry ) iterator.next(); String [] values =(String[])entry.getValue(); for (int i = 0; i < values.length; i++) { if(values[i] instanceof String){ values[i] = clearXss(values[i]); } } entry.setValue(values); } return paramMap; } }
上面這種修改方法有可能在其他應用服務器下有問題,如http://zydky.iteye.com/blog/558973 ,我未測試,如有問題可按照如下方式過濾getParameterMap獲取的map http://blog.csdn.net/aeroleo/article/details/52204789
第二種方法
參照:http://blog.csdn.net/huplion/article/details/49001151 和
http://blog.csdn.net/huplion/article/details/49000309 一定要兩個鏈接一起看,否則不起作用,另外有一處代碼記得按照如下修改:
Map<String, Object> map = inaction.getParameters(); for (Map.Entry<String, Object> entry : map.entrySet()) { String[] values = ((String[]) (entry.getValue())); for (int i = 0; i < values.length; i++) { values[i]=XssUtil.clearXss(values[i]); } entry.setValue(values); }
為什麽存在values[[],有可能請求的鏈接是url?t=1&t=2&t=3
Struts2修復xss攻擊