XSS攻击通常指的是通过利用网页开发时留下的漏洞,通过巧妙的方法注入恶意指令代码到网页,使用户加载并执行攻击者恶意制造的网页程序。这些恶意网页程序通常是JavaScript,但实际上也可以包括Java、 VBScript、ActiveX、 Flash 或者甚至是普通的HTML。攻击成功后,攻击者可能得到包括但不限于更高的权限(如执行一些操作)、私密网页内容、会话和cookie等各种内容。
XSSFilter
import javax
.servlet
.*
;
import javax
.servlet
.http
.HttpServletRequest
;
import java
.io
.IOException
;
import java
.util
.ArrayList
;
import java
.util
.List
;
public class XSSFilter implements Filter {
List
<String> passList
= new ArrayList<>();
@Override
public void init(FilterConfig filterConfig
) throws ServletException
{
passList
.add("/image/upload");
passList
.add("/adminLogin");
passList
.add("/admin/annex/upload");
passList
.add("/uscLogin");
}
@Override
public void doFilter(ServletRequest servletRequest
, ServletResponse servletResponse
, FilterChain filterChain
) throws IOException
, ServletException
{
HttpServletRequest request
= (HttpServletRequest
)servletRequest
;
String requestURI
= request
.getRequestURI();
if(!passList
.contains(requestURI
)){
filterChain
.doFilter(new XSSRequestWrapper(request
) , servletResponse
);
}else{
filterChain
.doFilter(servletRequest
,servletResponse
);
}
}
}
XSSRequestWrapper 参数重写类
import org
.springframework
.web
.util
.HtmlUtils
;
import javax
.servlet
.http
.HttpServletRequest
;
import javax
.servlet
.http
.HttpServletRequestWrapper
;
public class XSSRequestWrapper extends HttpServletRequestWrapper {
public XSSRequestWrapper(HttpServletRequest request
) {
super(request
);
}
@Override
public String
[] getParameterValues(String name
) {
String
[] results
= this.getParameterMap().get(name
);
if (results
!= null
&& results
.length
> 0) {
int length
= results
.length
;
for (int i
= 0; i
< length
; i
++) {
results
[i
] = HtmlUtils
.htmlEscape(results
[i
]);
}
return results
;
}
return null
;
}
}
结果
