1. 程式人生 > >Spring 防禦CSRF、XSS和SQL注入攻擊

Spring 防禦CSRF、XSS和SQL注入攻擊

對每個post請求的引數過濾一些關鍵字,替換成安全的,例如:< > ' " \ /  # &

方法是實現一個自定義的HttpServletRequestWrapper,然後在Filter裡面呼叫它,替換掉getParameter函式即可。

首先新增一個XssHttpServletRequestWrapper:

package com.ibm.web.beans;

import java.util.Enumeration;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {  
    public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {
        super(servletRequest);
    }
    public String[] getParameterValues(String parameter) {
      String[] values = super.getParameterValues(parameter);
      if (values==null)  {
                  return null;
          }
      int count = values.length;
      String[] encodedValues = new String[count];
      for (int i = 0; i < count; i++) {
                 encodedValues[i] = cleanXSS(values[i]);
       }
      return encodedValues;
    }
    public String getParameter(String parameter) {
          String value = super.getParameter(parameter);
          if (value == null) {
                 return null;
                  }
          return cleanXSS(value);
    }
    public String getHeader(String name) {
        String value = super.getHeader(name);
        if (value == null)
            return null;
        return cleanXSS(value);
    }
    private String cleanXSS(String value) {
         //這裡特意 加多個空格.... 方便 csdn顯示 ,如 <  ==>  & lt;
        value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
      value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
      value = value.replaceAll("'", "& #39;");
     value = value.replaceAll("eval\\((.*)\\)", "");
     value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
     value = value.replaceAll("script", "");
        return value;
    }

}


然後新增一個過濾器XssFilter :

package com.ibm.web.beans;

import java.io.IOException;  

import javax.servlet.Filter;  
import javax.servlet.FilterChain;  
import javax.servlet.FilterConfig;  
import javax.servlet.ServletException;  
import javax.servlet.ServletRequest;  
import javax.servlet.ServletResponse;  
import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletResponse;

public class XssFilter implements Filter {
    FilterConfig filterConfig = null;

    public void init(FilterConfig filterConfig) throws ServletException {
        this.filterConfig = filterConfig;
    }

    public void destroy() {
        this.filterConfig = null;
    }

    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        chain.doFilter(new XssHttpServletRequestWrapper(
                (HttpServletRequest) request), response);
    }
}


最後在web.xml裡面配置一下,所有的請求的getParameter會被替換,如果引數裡面 含有敏感詞會被替換掉:

  <filter>
     <filter-name>XssSqlFilter</filter-name>
     <filter-class>com.ibm.web.beans.XssFilter</filter-class>
  </filter>
  <filter-mapping>
     <filter-name>XssSqlFilter</filter-name>
     <url-pattern>/*</url-pattern>
     <dispatcher>REQUEST</dispatcher>
  </filter-mapping>