SpringBoot Xss漏洞修復
xss是什么就不贅述了,你看到這里肯定也知道了。SpringBoot修復Xss漏洞有兩種方案:
1、過濾SQL、JS腳本
1.1、添加pom依賴
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
<version>1.4</version>
</dependency>
1.2、創建XssAndSqlHttpServletRequestWrapper
package cn.vantee.util;
import org.apache.commons.text.StringEscapeUtils;
import org.springframework.util.StringUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
/**
* @author :rayfoo@qq.com
* @date :Created in 2022/3/31 16:46
* @description:xss過濾
* @modified By:
* @version: 1.0.0
*/
public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {
private HttpServletRequest request;
public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
this.request = request;
}
/**
* 假如有有html 代碼是自己傳來的 需要設定對應的name 不走StringEscapeUtils.escapeHtml4(value) 過濾
*/
@Override
public String getParameter(String name) {
String value = request.getParameter(name);
if (!StringUtils.isEmpty(value)) {
value = StringEscapeUtils.escapeHtml4(value);
}
return value;
}
@Override
public String[] getParameterValues(String name) {
String[] parameterValues = super.getParameterValues(name);
if (parameterValues == null) {
return null;
}
for (int i = 0; i < parameterValues.length; i++) {
String value = parameterValues[i];
parameterValues[i] = StringEscapeUtils.escapeHtml4(value);
}
return parameterValues;
}
}
1.3、創建XssStringJsonSerializer
package cn.vantee.util;
import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.databind.JsonSerializer;
import com.fasterxml.jackson.databind.SerializerProvider;
import org.apache.commons.text.StringEscapeUtils;
import java.io.IOException;
/**
* @author :rayfoo@qq.com
* @date :Created in 2022/3/31 16:47
* @description:xss過濾
* @modified By:
* @version: 1.0.0
*/
public class XssStringJsonSerializer extends JsonSerializer<String> {
@Override
public Class<String> handledType() {
return String.class;
}
/**
* 假如有有html 代碼是自己傳來的 需要設定對應的name 不走StringEscapeUtils.escapeHtml4(value) 過濾
*/
@Override
public void serialize(String value, JsonGenerator jsonGenerator, SerializerProvider serializerProvider)
throws IOException {
if (value != null) {
String encodedValue = StringEscapeUtils.escapeHtml4(value);
jsonGenerator.writeString(encodedValue);
}
}
}
1.4、創建過濾器
package cn.vantee.filter;
import cn.vantee.util.XssAndSqlHttpServletRequestWrapper;
import cn.vantee.util.XssStringJsonSerializer;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.module.SimpleModule;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Primary;
import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* @author :rayfoo@qq.com
* @date :Created in 2022/3/31 10:53
* @description:xss過濾
* @modified By:
* @version: 1.0.0
*/
@WebFilter(filterName = "xssFilter", urlPatterns = "/*", asyncSupported = true)
@Component
public class XssFilter implements Filter {
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
// TODO Auto-generated method stub
HttpServletRequest req = (HttpServletRequest) request;
XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(req);
chain.doFilter(xssRequestWrapper, response);
}
@Override
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
}
@Bean
@Primary
public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {
// 解析器
ObjectMapper objectMapper = builder.createXmlMapper(false).build();
// 注冊xss解析器
SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer");
xssModule.addSerializer(new XssStringJsonSerializer());
objectMapper.registerModule(xssModule);
// 返回
return objectMapper;
}
}
@Primary 注解優先走這個Bean方法。
asyncSupported = true 配置支持異步,sync-supported是servlet 3.0后推出的新特性
5、驗證
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<form action="/test">
<input type="text" name="params">
<input type="submit">
</form>
</body>
</html>
package cn.vantee.controller;
import cn.vantee.service.TestService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
/**
* @author :rayfoo@qq.com
* @date :Created in 2022/3/29 14:53
* @description:測試Controller
* @modified By:
* @version: 1.0.0
*/
@RestController
public class TestController {
@Autowired
public TestService testService;
@GetMapping("/test")
public String test(String params){
System.out.println(params);
return params;
}
}
輸入:
<script>hello world</scrpit>
輸出:
<script>hello world</scrpit>
2、設置HttpOnly
2.1、什么是HttpOnly
如果cookie中設置了HttpOnly屬性,那么通過js腳本將無法讀取到cookie信息,這樣能有效的防止XSS攻擊,竊取cookie內容,這樣就增加了cookie的安全性,即便是這樣,也不要將重要信息存入cookie。XSS全稱Cross SiteScript,跨站腳本攻擊,是Web程序中常見的漏洞,XSS屬於被動式且用於客戶端的攻擊方式,所以容易被忽略其危害性。其原理是攻擊者向有XSS漏洞的網站中輸入(傳入)惡意的HTML代碼,當其它用戶瀏覽該網站時,這段HTML代碼會自動執行,從而達到攻擊的目的。如,盜取用戶Cookie、破壞頁面結構、重定向到其它網站等。
2.2、如何設置
案例:
response.addHeader("Set-Cookie", "username=123456; Path=/; HttpOnly")