===========================問題描述========================
跨站腳本注入的幾種形式
*****="/><script>alert(document.cookie)</script>&passwd=&ok.x=28&ok.y=6
******="/><script>window.open("http://www.baidu.com")</script>
/document/ifr_list_managerHalfway.jsp?subFrame=managerHalfway&Page=2&Pages=2&Count=15&docsfrom="/><script>window.open("http://www.baidu.com")</script>
document/ifr_list_managerHalfway.jsp?docucode=&organiger=&manageEntityId=&Page=1&queryOwn=0&procstatus=&docsfrom=5&subFrame=managerHalfway&docsfrom=5&beginDate=&cbt=&procid=&cfwdw=&wenhao=%5C0%5C%22%5C%27%3E%3CScRiPt%3Ealert%28/shtec%2Bxss%2Btest/%29%3B%3C/ScRiPt%3E
document/ifr_list_managerHalfway.jsp?docucode=&organiger=&manageEntityId=&Page=1&queryOwn=0&procstatus=&docsfrom=5&subFrame=managerHalfway&docsfrom=5&beginDate=&cbt=&procid=&cfwdw="/><script>window.open("http://www.baidu.com")</script>&wenhao="/><script>window.open("http://www.baidu.com")</script>
以上的幾種跨站點腳本注入會使頁面非正常顯示
解決方案
1。增加一個request的轉碼過濾器=======================
package com.apusic.portal.sso;import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.*; import java.util.*;
/** * Servlet Filter implementation class SqlEscapeFilter */ public class SqlEscapeFilter implements Filter {
/** * Default constructor. */ public SqlEscapeFilter() { // TODO Auto-generated constructor stub }
/** * @see Filter#destroy() */ public void destroy() { // TODO Auto-generated method stub }
/** * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain) */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // TODO Auto-generated method stub // place your code here HttpServletRequest hreq = (HttpServletRequest)request; Map map = hreq.getParameterMap(); Iterator itr = map.keySet().iterator(); while( itr.hasNext() ) { String key = itr.next().toString(); String [] values = hreq.getParameterValues(key); if( values != null ) { for( int i = 0; i < values.length; i++ ) { values[i] = cleanXSS(values[i]); } } hreq.setAttribute(key, values); } // pass the request along the filter chain chain.doFilter(request, response); }
/** * @see Filter#init(FilterConfig) */ public void init(FilterConfig fConfig) throws ServletException { // TODO Auto-generated method stub } private String cleanXSS(String value) { value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", ")");
value = value.replaceAll("'", "& #39;");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
return value; }
}
2================================
web.xml
<filter>
<display-name>SqlEscapeFilter</display-name>
<filter-name>SqlEscapeFilter</filter-name>
<filter-class>com.apusic.portal.sso.SqlEscapeFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SqlEscapeFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>