对于程序员来说安全防御,无非从两个方面考虑,要么前端要么后台。
一、首先从前端考虑过滤一些非法字符。
前端的主控js中,在<textarea> 输入框标签中,
找到点击发送按钮后,追加到聊天panel前 进行过滤Input输入内容
// 过滤XSS反射型漏洞 filterInputTxt: function (html) { html = html.replace(/(.*<[^>]+>.*)/g,""); // HTML标记 html = html.replace(/([ ])[s]+/g, ""); // 换行、空格 html = html.replace(/<!--.*-->/g, ""); // HTML注释 html = html.replace(/['"‘’“”!@#$%^&*{}!¥()()×+=]/g, ""); // 非法字符 html = html.replace("alert",""); html = html.replace("eval",""); html = html.replace(/(.*javascript.*)/gi,""); if (html === "") { html = "你好"; } return html; }
二、在后台API服务解决反射型XSS漏洞
thinking:一般来说前端可以过滤一下基本的非法恶意代码攻击,如果恶意脚本被请求到服务端啦,那么就需要请求参数未请求接口前进行过滤一些非法字符。
handle:1、自定义过滤器实现Filter接口
2、在doFilter方法中对request、response进行设置处理
##处理request请求参数。
package com.eastrobot.robotdev.filter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import java.util.Map; import java.util.regex.Matcher; import java.util.regex.Pattern; /** * 〈一句话功能简述〉<br> * TODO(解决反射型XSS漏洞攻击) * * @author han.sun * @version 1.0.0 * @since 2019/2/28 11:39 */ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { /** * 定义script的正则表达式 */ private static final String REG_SCRIPT = "<script[^>]*?>[\s\S]*?</script>"; /** * 定义style的正则表达式 */ private static final String REG_STYLE = "<style[^>]*?>[\s\S]*?</style>"; /** * 定义HTML标签的正则表达式 */ private static final String REG_HTML = "<[^>]+>"; /** * 定义所有w标签 */ private static final String REG_W = "<w[^>]*?>[\s\S]*?</w[^>]*?>"; private static final String REG_JAVASCRIPT = ".*javascript.*"; XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); } @SuppressWarnings("rawtypes") @Override public Map<String, String[]> getParameterMap() { Map<String, String[]> requestMap = super.getParameterMap(); for (Object o : requestMap.entrySet()) { Map.Entry me = (Map.Entry) o; String[] values = (String[]) me.getValue(); for (int i = 0; i < values.length; i++) { values[i] = xssClean(values[i]); } } return requestMap; } @Override public String[] getParameterValues(String paramString) { String[] values = super.getParameterValues(paramString); if (values == null) { return null; } int i = values.length; String[] result = new String[i]; for (int j = 0; j < i; j++) { result[j] = xssClean(values[j]); } return result; } @Override public String getParameter(String paramString) { String str = super.getParameter(paramString); if (str == null) { return null; } return xssClean(str); } @Override public String getHeader(String paramString) { String str = super.getHeader(paramString); if (str == null) { return null; } str = str.replaceAll("[ ]", ""); return xssClean(str); } /** * [xssClean 过滤特殊、敏感字符] * @param value [请求参数] * @return [value] */ private String xssClean(String value) { if (value == null || "".equals(value)) { return value; } Pattern pw = Pattern.compile(REG_W, Pattern.CASE_INSENSITIVE); Matcher mw = pw.matcher(value); value = mw.replaceAll(""); Pattern script = Pattern.compile(REG_SCRIPT, Pattern.CASE_INSENSITIVE); value = script.matcher(value).replaceAll(""); Pattern style = Pattern.compile(REG_STYLE, Pattern.CASE_INSENSITIVE); value = style.matcher(value).replaceAll(""); Pattern htmlTag = Pattern.compile(REG_HTML, Pattern.CASE_INSENSITIVE); value = htmlTag.matcher(value).replaceAll(""); Pattern javascript = Pattern.compile(REG_JAVASCRIPT, Pattern.CASE_INSENSITIVE); value = javascript.matcher(value).replaceAll(""); return value; } }
##自定义Filter过滤器。
package com.eastrobot.robotdev.filter; import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; /** * 〈在服务器端对 Cookie 设置了HttpOnly 属性, * 那么js脚本就不能读取到cookie, * 但是浏览器还是能够正常使用cookie〉<br> * TODO(禁用js脚步读取用户浏览器中的Cookie) */ @WebFilter(filterName="xssFilter",urlPatterns= {"/*"}) @Order(FilterRegistrationBean.LOWEST_PRECEDENCE) public class XssFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; // 解决动态脚本获取网页cookie,将cookie设置成HttpOnly String sessionId = req.getSession().getId(); resp.setHeader("SET-COOKIE", "JSESSIONID=" + sessionId + "; HttpOnly"); resp.setHeader("x-frame-options", "SAMEORIGIN"); chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response); } @Override public void destroy() { } }