一.sql注入
sql注入:把SQL命令插入到Web表單遞交或輸入域名或頁面請求的查詢字符串,最終達到欺騙服務器執行惡意的SQL命令。
解決方法:
(1)無論是直接使用數據庫還是使用如mybatis組件,使用sql的預編譯,不要用拼接字符串;
(2)后台過濾檢測:使用正則表達式過濾傳入的參數**;**.字符串過濾;
(4)前端檢測sql常見關鍵字,如or and drop之類的。
測試:
1、sql直接拼接,訪問:http://localhost:8180/webapp2/testSql1?userName=1&passWord=1 or 1=1
實際執行sql:select user_name,pass_word from cas_user where user_name= '1' and pass_word=1 INVALID 1=1
結果:輸入錯誤信息也能查詢。
2、sql預編譯(其他mybais組件類似),訪問:http://localhost:8180/webapp2/testSql2?userName=1&passWord=1 or 1=1
實際執行sql:select user_name,pass_word from cas_user where user_name= '1' and pass_word= '1 INVALID 1=1'
二種不同的sql寫法:
3、代碼中增加了過濾器檢測表單輸入后,sql關鍵字段會被過濾掉;訪問:http://localhost:8180/webapp2/testSql2?userName=1&passWord=1 or 1=1
結果:非法輸入被過濾器過濾掉了(或者替換了)。
二.xss攻擊
xss攻擊:其原理是攻擊者向有XSS漏洞的網站中輸入(傳入)惡意的HTML代碼,當其它用戶瀏覽該網站時,這段HTML代碼會自動執行,從而達到攻擊的目的。
如,盜取用戶Cookie、破壞頁面結構、重定向到其它網站等。
解決方法:對用戶輸入的表單信息進行檢測過濾。
測試:訪問:http://localhost:8180/webapp2/testXss?userName=1&passWord=。
結果:非法輸入被過濾器過濾掉了。
三.csrf/cros
CSRF - Cross-Site Request Forgery - 跨站請求偽造:
攻擊可以在受害者毫不知情的情況下以受害者名義偽造請求發送給受攻擊站點,從而在未授權的情況下執行在權限保護之下的操作,
CORS - Cross Origin Resourse-Sharing - 跨站資源共享,惡意訪問內網敏感資源。
解決方法:
有效的解決辦法是通過多種條件屏蔽掉非法的請求,例如HTTP頭、參數等:
1.不信任未經身份驗證的跨域請求,應該首先驗證Session ID或者Cookie。
2.對於請求方來說驗證接收的數據有效性,服務方僅暴露最少最必須的功能。
3.通過多種條件屏蔽掉非法的請求,例如HTTP頭、參數等。
服務端代碼跨域設置,設置了nginx轉發,也可設置在nginx中。
四.防止大規模的惡意請求
niginx反向代理可以配置請求頻率,對ip做限制。nginx可以很方便地做訪問控制,特別是一些偶發性的大量惡意請求,需要屏蔽處理。
1、屏蔽ip地址
location /someapi/ { allow ip; #特定接口只開放給某個ip調用 deny all; } location /somepage/ { deny ip; #屏蔽某個ip訪問(iptables可以拒絕某個ip連接) allow all; }
2、屏蔽user-agent
if ($http_user_agent = Mozilla/5.0 ) { return 403; } #有些請求頭很明顯不是用戶瀏覽器 分析nginx日志,找出惡意ip或user-agent cat /var/log/nginx/access.log | awk -F\" '{A[$(NF-1)]++}END{for(k in A)print A[k],k}' | sort -n |tail 122 58.144.7.66 337 106.91.201.75 2270 122.200.77.170 #顯然這個ip不正常,而且這不是nginx所知道的真實ip,而是$http_x_forwarded_for變量
3、屏蔽代理ip
有兩種情形會需要屏蔽代理ip:一是代理ip訪問,二是負載均衡(real-ip請求負載均衡服務器,再代理給后端server)。
vi /etc/nginx/badproxy.rules map $http_x_forwarded_for $badproxy { default 0; ~*122.200.77.170 1; #建立映射 } vi /etc/nginx/nginx.conf http { include /etc/nginx/badproxy.rules #這個要在server配置之前 server { location /somepage/ { if ( $badproxy ) { return 403; } } } }
五.代碼示例
1、第一步
創建XssAndSqlHttpServletRequestWrapper包裝器,這是實現XSS過濾的關鍵,在其內重寫了getParameter,getParameterValues,getHeader等方法,對http請求內的參數進行了過濾。
package com.demo.common; import java.io.BufferedReader; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStreamReader; import java.util.Enumeration; import java.util.HashMap; import java.util.Map; import java.util.Set; import java.util.Vector; import java.util.regex.Pattern; import javax.servlet.ReadListener; import javax.servlet.ServletInputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import org.springframework.util.StreamUtils; import com.sgcc.uap.utils.stream.StreamUtil; public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper { HttpServletRequest orgRequest = null; private Map<String, String[]> parameterMap; private final byte[] body; //用於保存讀取body中數據 public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) throws IOException{ super(request); orgRequest = request; parameterMap = request.getParameterMap(); body = StreamUtils.copyToByteArray(request.getInputStream()); } // 重寫幾個HttpServletRequestWrapper中的方法 /** * 獲取所有參數名 * * @return 返回所有參數名 */ @Override public Enumeration<String> getParameterNames() { Vector<String> vector = new Vector<String>(parameterMap.keySet()); return vector.elements(); } /** * 覆蓋getParameter方法,將參數名和參數值都做xss & sql過濾。<br/> * 如果需要獲得原始的值,則通過super.getParameterValues(name)來獲取<br/> * getParameterNames,getParameterValues和getParameterMap也可能需要覆蓋 */ @Override public String getParameter(String name) { String[] results = parameterMap.get(name); if (results == null || results.length <= 0) return null; else { String value = results[0]; if (value != null) { value = xssEncode(value); } return value; } } /** * 獲取指定參數名的所有值的數組,如:checkbox的所有數據 接收數組變量 ,如checkobx類型 */ @Override public String[] getParameterValues(String name) { String[] results = parameterMap.get(name); if (results == null || results.length <= 0) return null; else { int length = results.length; for (int i = 0; i < length; i++) { results[i] = xssEncode(results[i]); } return results; } } /** * 覆蓋getHeader方法,將參數名和參數值都做xss & sql過濾。<br/> * 如果需要獲得原始的值,則通過super.getHeaders(name)來獲取<br/> * getHeaderNames 也可能需要覆蓋 */ @Override public String getHeader(String name) { String value = super.getHeader(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 將容易引起xss & sql漏洞的半角字符直接替換成全角字符 * * @param s * @return */ private static String xssEncode(String s) { if (s == null || s.isEmpty()) { return s; } else { s = stripXSSAndSql(s); } StringBuilder sb = new StringBuilder(s.length() + 16); for (int i = 0; i < s.length(); i++) { char c = s.charAt(i); switch (c) { case '>': sb.append(">");// 轉義大於號 break; case '<': sb.append("<");// 轉義小於號 break; // case '\'': // sb.append("'");// 轉義單引號 // break; // case '\"': // sb.append(""");// 轉義雙引號 // break; case '&': sb.append("&");// 轉義& break; case '#': sb.append("#");// 轉義# break; default: sb.append(c); break; } } return sb.toString(); } /** * 獲取最原始的request * * @return */ public HttpServletRequest getOrgRequest() { return orgRequest; } /** * 獲取最原始的request的靜態方法 * * @return */ public static HttpServletRequest getOrgRequest(HttpServletRequest req) { if (req instanceof XssAndSqlHttpServletRequestWrapper) { return ((XssAndSqlHttpServletRequestWrapper) req).getOrgRequest(); } return req; } /** * * 防止xss跨腳本攻擊(替換,根據實際情況調整) */ public static String stripXSSAndSql(String value) { if (value != null) { // NOTE: It's highly recommended to use the ESAPI library and // uncomment the following line to // avoid encoded attacks. // value = ESAPI.encoder().canonicalize(value); // Avoid null characters /** value = value.replaceAll("", ""); ***/ // Avoid anything between script tags Pattern scriptPattern = Pattern.compile( "<[\r\n| | ]*script[\r\n| | ]*>(.*?)</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid anything in a // src="http://www.yihaomen.com/article/java/..." type of // e-xpression scriptPattern = Pattern.compile("src[\r\n| | ]*=[\r\n| | ]*[\\\"|\\\'](.*?)[\\\"|\\\']", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Remove any lonesome </script> tag scriptPattern = Pattern.compile("</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Remove any lonesome <script ...> tag scriptPattern = Pattern.compile("<[\r\n| | ]*script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid eval(...) expressions scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid e-xpression(...) expressions scriptPattern = Pattern.compile("e-xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid javascript:... expressions scriptPattern = Pattern.compile("javascript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid vbscript:... expressions scriptPattern = Pattern.compile("vbscript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid onload= expressions scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); } return value; } public static boolean checkXSSAndSql(String value) { boolean flag = false; if (value != null) { // NOTE: It's highly recommended to use the ESAPI library and // uncomment the following line to // avoid encoded attacks. // value = ESAPI.encoder().canonicalize(value); // Avoid null characters /** value = value.replaceAll("", ""); ***/ // Avoid anything between script tags Pattern scriptPattern = Pattern.compile( "<[\r\n| | ]*script[\r\n| | ]*>(.*?)</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid anything in a // src="http://www.yihaomen.com/article/java/..." type of // e-xpression scriptPattern = Pattern.compile("src[\r\n| | ]*=[\r\n| | ]*[\\\"|\\\'](.*?)[\\\"|\\\']", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Remove any lonesome </script> tag scriptPattern = Pattern.compile("</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Remove any lonesome <script ...> tag scriptPattern = Pattern.compile("<[\r\n| | ]*script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid eval(...) expressions scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid e-xpression(...) expressions scriptPattern = Pattern.compile("e-xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid javascript:... expressions scriptPattern = Pattern.compile("javascript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid vbscript:... expressions scriptPattern = Pattern.compile("vbscript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid onload= expressions scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } scriptPattern = Pattern.compile("\\b(and|exec|insert|select|drop|grant|alter|delete|update|count|chr|mid|master|truncate|char|declare|or)\\b|(\\*|;|\\+|'|%)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } } return flag; } public final boolean checkParameter() { Map<String, String[]> submitParams = new HashMap(parameterMap); Set<String> submitNames = submitParams.keySet(); for (String submitName : submitNames) { Object submitValues = submitParams.get(submitName); if ((submitValues instanceof String)) { if (checkXSSAndSql((String) submitValues)) { return true; } } else if ((submitValues instanceof String[])) { for (String submitValue : (String[])submitValues){ if (checkXSSAndSql(submitValue)) { return true; } } } } return false; } @Override public BufferedReader getReader() throws IOException { return new BufferedReader(new InputStreamReader(getInputStream())); } @Override public ServletInputStream getInputStream() throws IOException { final ByteArrayInputStream bais = new ByteArrayInputStream(body); return new ServletInputStream() { @Override public int read() throws IOException { return bais.read(); } @Override public boolean isFinished() { // TODO Auto-generated method stub return false; } @Override public boolean isReady() { // TODO Auto-generated method stub return false; } @Override public void setReadListener(ReadListener arg0) { // TODO Auto-generated method stub } }; } }
2、第二步
寫過濾器:
package com.demo.common; import java.io.BufferedReader; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import org.apache.commons.lang3.StringUtils; public class XssAndSqlFilter implements Filter { @Override public void destroy() { // TODO Auto-generated method stub } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { String method = "GET"; String param = ""; XssAndSqlHttpServletRequestWrapper xssRequest = null; if (request instanceof HttpServletRequest) { method = ((HttpServletRequest) request).getMethod(); xssRequest = new XssAndSqlHttpServletRequestWrapper((HttpServletRequest) request); } if ("POST".equalsIgnoreCase(method)) { param = this.getBodyString(xssRequest.getReader()); if(StringUtils.isNotBlank(param)){ if(xssRequest.checkXSSAndSql(param)){ response.setCharacterEncoding("UTF-8"); response.setContentType("application/json;charset=UTF-8"); PrintWriter out = response.getWriter(); out.write(JSONObject.toJSONString("您所訪問的頁面請求中有違反安全規則元素存在,拒絕訪問!")); return; } } } if (xssRequest.checkParameter()) { response.setCharacterEncoding("UTF-8"); response.setContentType("application/json;charset=UTF-8"); PrintWriter out = response.getWriter(); out.write(JSONObject.toJSONString("您所訪問的頁面請求中有違反安全規則元素存在,拒絕訪問!")); return; } chain.doFilter(xssRequest, response); } @Override public void init(FilterConfig arg0) throws ServletException { // TODO Auto-generated method stub } // 獲取request請求body中參數 public static String getBodyString(BufferedReader br) { String inputLine; String str = ""; try { while ((inputLine = br.readLine()) != null) { str += inputLine; } br.close(); } catch (IOException e) { System.out.println("IOException: " + e); } return str; } }
3、第三步
注冊過濾器XssAndSqlFilter。
package com.demo.config; import java.util.Map; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import com.beust.jcommander.internal.Maps; import com.swireproperties.cams.common.filter.XssAndSqlFilter; /** * web配置 */ @Configuration public class WebConfig { @Bean public FilterRegistrationBean xssFilterRegistrationBean() { FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean(); filterRegistrationBean.setFilter(new XssAndSqlFilter()); filterRegistrationBean.setOrder(1); filterRegistrationBean.setEnabled(true); filterRegistrationBean.addUrlPatterns("/*"); Map<String, String> initParameters = Maps.newHashMap(); initParameters.put("excludes", "/favicon.ico,/img/*,/js/*,/css/*"); initParameters.put("isIncludeRichText", "true"); filterRegistrationBean.setInitParameters(initParameters); return filterRegistrationBean; } }
備注:
-excludes用於配置不需要參數過濾的請求url。
-isIncludeRichText默認為true,主要用於設置富文本內容是否需要過濾。