记一次JAVA WEB项目解决XSS攻击的办法(亲测有效)
- 什么是XSS攻击
简单来说,XSS 攻击是页面被注入了恶意的代码,度娘一大堆的东西,不想说
- 系统架构主要是SSM框架,服务层另外使用了DubboX.
为啥说这个,因为SpringMVC对于Xss攻击需要特殊处理
- 思路
其实XSS工具解决思路就是捕获客户端提交的参数进行捕获,然后对参数值进行过滤处理,去除那些非法的字符.
但是请求通常分为GET请求与POST请求,针对不同的请求,处理方式是不一样的
- 步骤:
1.针对GET与非文件格式上传的post请求.(form 表单提交的时候 没有这个参数enctype="multipart/form-data"),JSON请求等
1) web.xml配置过滤器
1 <!-- xxs过滤 --> 2 <filter> 3 <filter-name>XssSqlFilter</filter-name> 4 <filter-class>cn.ffcs.web.filter.XssFilter</filter-class> 5 </filter> 6 <filter-mapping> 7 <filter-name>XssSqlFilter</filter-name> 8 <url-pattern>/*</url-pattern> 9 <dispatcher>REQUEST</dispatcher> 10 </filter-mapping>
2)过滤器实现 XssFilter.java,针对部分特殊请求,要求不走过滤的,可以在此过滤器中放行
1 package cn.ffcs.web.filter; 2 3 import java.io.IOException; 4 5 import javax.servlet.FilterChain; 6 import javax.servlet.ServletException; 7 import javax.servlet.http.HttpServletRequest; 8 import javax.servlet.http.HttpServletResponse; 9 10 import org.slf4j.Logger; 11 import org.slf4j.LoggerFactory; 12 import org.springframework.web.filter.OncePerRequestFilter; 13 14 public class XssFilter extends OncePerRequestFilter { 15 private final Logger logger = LoggerFactory.getLogger(this.getClass()); 16 @Override 17 protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) 18 throws ServletException, IOException { 19 try { 20 String uri = request.getRequestURI(); 21 //特殊url不走过滤器 22 if (uri.contains("receipt") || uri.contains("mobile/buildingMgr") 23 || uri.contains("bestPay") || uri.contains("backNotify") || uri.contains("frontNotify") 24 || uri.contains("queryOrder") || uri.contains("refundNotify") || uri.contains("refund") 25 || uri.contains("reverse")) { 26 chain.doFilter(request, response); 27 } else { 28 XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request); 29 chain.doFilter(xssRequest, response); 30 } 31 } catch (Exception e) { 32 logger.error("Xss过滤器,包装request对象失败"); 33 chain.doFilter(request, response); 34 } 35 } 36 }