1,XSS 攻击
XSS攻击使用Javascript脚本注入进行攻击 例如在提交表单后,展示到另一个页面,可能会受到XSS脚本注入,读取本地cookie远程发送给黑客服务器端。 <script>alert('sss')</script> <script>window.location.href='http://www.itmayiedu.com';</script> 对应html源代码: <script>alert('sss')</script>
因为浏览器默认支持脚本执行,提交表单时候,如果有脚本语言,可能就浏览器就直接执行了。
index.ftl:
<!DOCTYPE html> <html> <head lang="en"> <meta charset="UTF-8" /> <title></title> </head> <body> <form action="postIndex" method="post"> 输入内容: <input type="text" name="name"> <br> <input type="submit"> </form> </body> </html>
forward.ftl:
<!DOCTYPE html> <html> <head lang="en"> <meta charset="UTF-8" /> <title></title> </head> <body> <form action="postIndex" method="post"> 输入内容: <input type="text" name="name"> <br> <input type="submit"> </form> </body> </html>
controller:
@Controller public class Index { @RequestMapping("/index") public String index() { return "index"; } // 接受頁面 參數 @RequestMapping("/postIndex") public String postIndex(HttpServletRequest request) { request.setAttribute("name", request.getParameter("name")); return "forward"; } }
当调用index 的方法,进入到index.ftl ,提交表单,进去到postIndex 的方法,找到forward 页面,页面渲染。
但是如果如果提交是脚本语言,可能就浏览器就直接执行了
解决方式:通过过滤器(拦截器),对请求进行拦截,然后对其中的参数中的特别字符进行特别转换成html 语言
例如:
<script>alert('sss')</script> 转成 <script>alert('sss')</script> 这样浏览器就不会把他们当成标签
重新封装HttpServletRequestWrapper,用来获取HttpServletRequest 请求的参数等
/** * 功能说明: * 功能作者: * 创建日期: * 版权归属:每特教育|蚂蚁课堂所有 www.itmayiedu.com */ package com.aiyuesheng.http; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang.StringUtils; public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { private HttpServletRequest request; /** * @param request */ public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); this.request = request; } @Override public String getParameter(String name) { // 获取之前的参数 String olValue = super.getParameter(name); System.out.print("原来参数:" + olValue); if (!StringUtils.isEmpty(olValue)) { olValue = StringEscapeUtils.escapeHtml(olValue); System.out.println("转换后" + olValue); } System.out.println(); return olValue; } }
过滤器:
package com.aiyuesheng.filter; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import com.aiyuesheng.http.XssHttpServletRequestWrapper; @WebFilter(filterName = "xssFilter", urlPatterns = "/*") public class XssFilter implements Filter { public void init(FilterConfig filterConfig) throws ServletException { } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // 程序防止XSS攻击原理 // 1. 使用过滤器拦截所有参数 HttpServletRequest req = (HttpServletRequest) request; // 2.重新getParameter方法 XssHttpServletRequestWrapper xssHttpServletRequestWrapper = new XssHttpServletRequestWrapper(req); // 放行程序,继续往下执行 chain.doFilter(xssHttpServletRequestWrapper, response); } public void destroy() { } }
启动类上加上@ServletComponentScan
在 SpringBootApplication 上使用@ServletComponentScan 注解后,Servlet、Filter、Listener 可以直接通过 @WebServlet、@WebFilter、@WebListener 注解自动注册,无需其他代码
import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.web.servlet.ServletComponentScan; @SpringBootApplication @ServletComponentScan public class App { public static void main(String[] args) { SpringApplication.run(App.class, args); } }