概念
xss攻擊:全稱跨站腳本攻擊,是爲不和層疊樣式表(Cascading Style Sheets, CSS)的縮寫混淆,故將跨站腳本攻擊縮寫爲XSS,XSS是一種在web應用中的計算機安全漏洞,它允許惡意web用戶將代碼植入到提供給其它用戶使用的頁面中。
xss攻擊測試
//web環境
//表單輸入框輸入以下攻擊腳本,提交表單,可測試簡單腳本攻擊:
"/> <script>alert(document.cookie);</script><!--
"/><script>window.open("http://ncna2.com:9050/bwp/login.do?theAction=login¶m=")</script><!--
xss攻擊解決方案
1.使用攔截器,攔截攜帶敏感字符請求
2.使用過濾器實現,過濾敏感字符,這裏只介紹filter
2.1web.xml配置
<filter>
<filter-name>xssAndSQLFilter</filter-name>
<filter-class>*.XSSFilter</filter-class>
<init-param>
<param-name>excludeCSSandSQLs</param-name>
<param-value>para_value;theAction;password;userNosStr;userNos.user_no;url;icon;tlist;jobdirt;remark;REMARK;ename;packagename;filepath;urlpath;role.name;email;warning_email_content;ids</param-value>
</init-param>
<init-param>
<param-name>rejectCSSandSQLs</param-name>
<param-value>script;truncate;insert;select;delete;update;';";=;{;}; or ;(;);alert;confirm;cookie;|;$;+;/;,</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>xssAndSQLFilter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
2.2filter內部實現
public class XSSFilter implements Filter {
private static final Logger log=LoggerFactory.getLogger(XSSFilter.class);
/**
* 排除部分參數key不做過濾
*/
private static List<String> excludeCSSandSQLs = new ArrayList<String>();
/**
* 預防xss和sql注入黑名單參數值value
*/
private static List<String> rejectCSSandSQLs = new ArrayList<String>();
@Override
public void init(FilterConfig filterConfig) throws ServletException {
//不過濾的請求參數key
String[] excludeCSSandSQLs = filterConfig.getInitParameter("excludeCSSandSQLs").trim().split(";");
Collections.addAll(this.excludeCSSandSQLs, excludeCSSandSQLs);
//過濾的參數value
String str = filterConfig.getInitParameter("rejectCSSandSQLs") + ";<;>;%;&";
String[] rejectCSSandSQLs = str.split(";");
Collections.addAll(this.rejectCSSandSQLs, rejectCSSandSQLs);
this.rejectCSSandSQLs.add(";");
}
@Override
public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain chain)
throws IOException, ServletException {
// TODO Auto-generated method stub
HttpServletRequest request = (HttpServletRequest) arg0;
HttpServletResponse response = (HttpServletResponse) arg1;
//HttpSession session = request.getSession();
String pathInfo = request.getPathInfo() == null ? "" : request.getPathInfo();
String url = request.getServletPath() + pathInfo;
//String uri = request.getRequestURI();
//boolean isNoticeUrl = false;
//1.獲取請求所有參數,校驗防止SQL注入,防止XSS漏洞
Enumeration<?> params = request.getParameterNames();
String paramN = null;
while (params.hasMoreElements()) {
paramN = (String) params.nextElement();
String paramVale = request.getParameter(paramN);
if (!paramN.toLowerCase().contains("password")) {
log.info(paramN + "==" + paramVale);
}
//排除部分不做過濾的參數key 同時 校驗xss或者sql攻擊敏感關鍵詞
if(!excludeCSSandSQLs.contains(paramN) && checkSQLInject(paramVale, url)){
//返回錯誤信息頁面
request.setAttribute("errMsg", "xss或sql攻擊攔截,包含敏感字符" + paramVale);
request.getRequestDispatcher("/WEB-INF/xsserrorInfo.jsp").forward(request, response);
break;
}
}
chain.doFilter(request, response);
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
/**
* 檢查是否存在非法字符,防止SQL注入
* @param str 被檢查的字符串
* @param url 請求url
* @return ture-字符串中存在非法字符,false-不存在非法字符
*/
public static boolean checkSQLInject(String str, String url) {
if (StringTool.isNullOrEmpty(str)) {
// 如果傳入空串則認爲不存在非法字符
return false;
}
for (String field : rejectCSSandSQLs) {
if (str.indexOf(field) >= 0) {
if (!field.toLowerCase().contains("password")) {
log.info("xss或者sql注入防攻擊攔截url:" + url + ",原因:特殊字符,傳入str=" + str + ",包含特殊字符:" + field);
}
return true;
}
}
return false;
}
}
3.登錄密碼加密建議使用非對稱加密RSA或者對稱加密AES等等
AES詳見:AES前端加密後端解密
RSA詳見:RSA前端加密後端解密