SpringBoot 防禦Xss基本攻擊之Filter攔截

什麼是Xss

答：百度百科中有詳細介紹：https://baike.baidu.com/item/xss/917356

方案

建立過濾器將頁面含有sql 或者js 腳本語句語句過濾掉再去請求到服務端接口。

步驟

SpringBoot pom.xml 引入

      <dependency>
           <groupId>org.apache.commons</groupId>
           <artifactId>commons-text</artifactId>
           <version>1.4</version>
       </dependency>

新建XssAndSqlHttpServletRequestWrapper

package com.vtax.base.filter;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
/**
 * 
 * @ClassName:  XssAndSqlHttpServletRequestWrapper   
 * @Description:TODO(xxsfileter 包裝類)   
 * @author: drj 
 * @date:   2019年5月29日 下午5:02:55   
 *     
 * @Copyright: 2019 
 *
 */
public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {

    private HttpServletRequest request;

    public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        this.request = request;
    }

    /**
     * 假如有有html 代碼是自己傳來的  需要設定對應的name 不走StringEscapeUtils.escapeHtml4(value) 過濾
     */
    @Override
    public String getParameter(String name) {
        String value = request.getParameter(name);
        if (!StringUtils.isEmpty(value)) {
            value = StringEscapeUtils.escapeHtml4(value);
        }
        return value;
    }

    @Override
    public String[] getParameterValues(String name) {
        String[] parameterValues = super.getParameterValues(name);
        if (parameterValues == null) {
            return null;
        }
        for (int i = 0; i < parameterValues.length; i++) {
            String value = parameterValues[i];
            parameterValues[i] = StringEscapeUtils.escapeHtml4(value);
        }
        return parameterValues;
    }
}

新建請求Json格式的解析 XssStringJsonSerializer

package com.vtax.base.filter;

import java.io.IOException;

import org.apache.commons.text.StringEscapeUtils;

import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.databind.JsonSerializer;
import com.fasterxml.jackson.databind.SerializerProvider;
/**
 * 
 * @ClassName:  XssStringJsonSerializer   
 * @Description:TODO(實現過濾json類型)   
 * @author: drj 
 * @date:   2019年5月29日 下午5:12:49   
 *     
 * @Copyright: 2019 
 *
 */
public class XssStringJsonSerializer extends JsonSerializer<String> {

    @Override
    public Class<String> handledType() {
        return String.class;
    }

    /**
     * 假如有有html 代碼是自己傳來的  需要設定對應的name 不走StringEscapeUtils.escapeHtml4(value) 過濾
     */
    @Override
    public void serialize(String value, JsonGenerator jsonGenerator, SerializerProvider serializerProvider)
            throws IOException {
        if (value != null) {
            String encodedValue = StringEscapeUtils.escapeHtml4(value);
            jsonGenerator.writeString(encodedValue);
        }
    }

}

最後就是如何調用他們呢？當然是過濾器XssFilter

package com.vtax.base.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Primary;
import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
import org.springframework.stereotype.Component;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.module.SimpleModule;

/**
 * 
 * @ClassName: XssFilter
 * @Description:TODO(防止xss 的過濾器)
 * @author: drj
 * @date: 2019年5月29日 下午5:05:51
 * 
 * @Copyright: 2019
 *
 */
@WebFilter(filterName = "xssFilter", urlPatterns = "/*", asyncSupported = true)
@Component
public class XssFilter implements Filter {

    @Override
    public void destroy() {
        // TODO Auto-generated method stub

    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        // TODO Auto-generated method stub
        HttpServletRequest req = (HttpServletRequest) request;
        XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(req);
        chain.doFilter(xssRequestWrapper, response);
    }

    @Override
    public void init(FilterConfig arg0) throws ServletException {
        // TODO Auto-generated method stub
    }

    @Bean
    @Primary
    public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {
        // 解析器
        ObjectMapper objectMapper = builder.createXmlMapper(false).build();
        // 註冊xss解析器
        SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer");
        xssModule.addSerializer(new XssStringJsonSerializer());
        objectMapper.registerModule(xssModule);
        // 返回 
        return objectMapper;
    }
}

@Primary 註解優先走這個Bean方法。
asyncSupported = true 配置支持異步，sync-supported是servlet 3.0後推出的新特性

總結

測試攻擊腳本

<script>alert('drj')</script>

其他可以通過這個看看：https://blog.csdn.net/u012610902/article/details/80994242 寫的挺多可以測試看看效果。

SpringBoot 防禦Xss基本攻擊之Filter攔截

什麼是Xss

方案

步驟

總結

Wireshark 安裝+使用（一）

Java筆試題之多線程

Java面試之筆試題分析

xml與實體互相轉換

解決高併發下com.arronlong.httpclientutil連接池超時問題

Mysql5.7 出現 this is incompatible with sql_mode=only_full_group_by 解決方案

Mac下配置sublime實現LaTeX

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結