SpringBoot安全漏洞SQL注入和XSS攻击简介说明

书欣 SpringBoot 发布时间:2022-08-06 21:47:50 阅读数:8997 1
下文笔者讲述springboot安全漏洞中sql注入和xss注入的处理方法简介说明,如下所示
实现思路:
    1.自定义HttpServletRequestWrapper类,实现SQL和XSS 过滤
	2.自定义filter
	3.注册filter,使其发挥功效
例:
自定义HttpServletRequestWrapper类
   实现SQL和XSS 过滤

package com.java265.sql.filter; 
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.Vector;
import java.util.regex.Pattern;
import javax.servlet.Readlistener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.springframework.util.StreamUtils;
 
public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {
	 HttpServletRequest orgRequest = null;
	    private Map<String, String[]> parameterMap;
	    private final byte[] body; //用于保存读取body中数据
 
	    public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) throws IOException{
	        super(request);
	        orgRequest = request;
	        parameterMap = request.getParameterMap();
	        body = StreamUtils.copyToByteArray(request.getInputStream());
	    }
 
	    // 重写几个HttpServletRequestWrapper中的方法
	    /**
	     * 获取所有参数名
	     *
	     * @return 返回所有参数名
	     */
	    @Override
	    public Enumeration<String> getParameterNames() {
	        Vector<String> vector = new Vector<String>(parameterMap.keySet());
	        return vector.elements();
	    }
 
	    /**
	     * 覆盖getParameter方法,将参数名和参数值都做xss & sql过滤。<br/>
	     * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/>
	     * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
	     */
	    @Override
	    public String getParameter(String name) {
	        String[] results = parameterMap.get(name);
	        if (results == null || results.length <= 0)
	            return null;
	        else {
	            String value = results[0];
	            if (value != null) {
	                value = xssEncode(value);
	            }
	            return value;
	        }
	    }
 
	    /**
	     * 获取指定参数名的所有值的数组,如:checkbox的所有数据 接收数组变量 ,如checkobx类型
	     */
	    @Override
	    public String[] getParameterValues(String name) {
	        String[] results = parameterMap.get(name);
	        if (results == null || results.length <= 0)
	            return null;
	        else {
	            int length = results.length;
	            for (int i = 0; i < length; i++) {
	                results[i] = xssEncode(results[i]);
	            }
	            return results;
	        }
	    }
 
	    /**
	     * 覆盖getHeader方法,将参数名和参数值都做xss & sql过滤。<br/>
	     * 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/>
	     * getHeaderNames 也可能需要覆盖
	     */
	    @Override
	    public String getHeader(String name) {
 
	        String value = super.getHeader(xssEncode(name));
	        if (value != null) {
	            value = xssEncode(value);
	        }
	        return value;
	    }
 
	    /**
	     * 将容易引起xss & sql漏洞的半角字符直接替换成全角字符
	     * 
	     * @param s
	     * @return
	     */
	    private static String xssEncode(String s) {
	        if (s == null || s.isEmpty()) {
	            return s;
	        } else {
	            s = stripXSSAndSql(s);
	        }
	        StringBuilder sb = new StringBuilder(s.length() + 16);
	        for (int i = 0; i < s.length(); i++) {
	            char c = s.charAt(i);
	            switch (c) {
	            case '>':
	                sb.append(">");// 转义大于号
	                break;
	            case '<':
	                sb.append("<");// 转义小于号
	                break;
	            // case '\'':
	            // sb.append("'");// 转义单引号
	            // break;
	            // case '\"':
	            // sb.append(""");// 转义双引号
	            // break;
	            case '&':
	                sb.append("&");// 转义&
	                break;
	            case '#':
	                sb.append("#");// 转义#
	                break;
	            default:
	                sb.append(c);
	                break;
	            }
	        }
	        return sb.toString();
	    }
 
	    /**
	     * 获取最原始的request
	     * 
	     * @return
	     */
	    public HttpServletRequest getOrgRequest() {
	        return orgRequest;
	    }
 
	    /**
	     * 获取最原始的request的静态方法
	     * 
	     * @return
	     */
	    public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
	        if (req instanceof XssAndSqlHttpServletRequestWrapper) {
	            return ((XssAndSqlHttpServletRequestWrapper) req).getOrgRequest();
	        }
 
	        return req;
	    }
 
	    /**
	     * 
	     * 防止xss跨脚本攻击(替换,根据实际情况调整)
	     */
 
	    public static String stripXSSAndSql(String value) {
	        if (value != null) {
	            // NOTE: It's highly recommended to use the ESAPI library and
	            // uncomment the following line to
	            // avoid encoded attacks.
	            // value = ESAPI.encoder().canonicalize(value);
	            // Avoid null characters
	            /** value = value.replaceAll("", ""); ***/
	            // Avoid anything between script tags
	            Pattern scriptPattern = Pattern.compile(
	                    "<[\r\n| | ]*script[\r\n| | ]*>(.*?)</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE);
	            value = scriptPattern.matcher(value).replaceAll("");
	            // Avoid anything in a
	            // src="http://www.yihaomen.com/article/java/..." type of
	            // e-xpression
	            scriptPattern = Pattern.compile("src[\r\n| | ]*=[\r\n| | ]*[\\\"|\\\'](.*?)[\\\"|\\\']",
	                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	            value = scriptPattern.matcher(value).replaceAll("");
	            // Remove any lonesome </script> tag
	            scriptPattern = Pattern.compile("</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE);
	            value = scriptPattern.matcher(value).replaceAll("");
	            // Remove any lonesome <script ...> tag
	            scriptPattern = Pattern.compile("<[\r\n| | ]*script(.*?)>",
	                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	            value = scriptPattern.matcher(value).replaceAll("");
	            // Avoid eval(...) expressions
	            scriptPattern = Pattern.compile("eval\\((.*?)\\)",
	                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	            value = scriptPattern.matcher(value).replaceAll("");
	            // Avoid e-xpression(...) expressions
	            scriptPattern = Pattern.compile("e-xpression\\((.*?)\\)",
	                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	            value = scriptPattern.matcher(value).replaceAll("");
	            // Avoid javascript:... expressions
	            scriptPattern = Pattern.compile("javascript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE);
	            value = scriptPattern.matcher(value).replaceAll("");
	            // Avoid vbscript:... expressions
	            scriptPattern = Pattern.compile("vbscript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE);
	            value = scriptPattern.matcher(value).replaceAll("");
	            // Avoid onload= expressions
	            scriptPattern = Pattern.compile("onload(.*?)=",
	                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	            value = scriptPattern.matcher(value).replaceAll("");
	        }
	        return value;
	    }
 
	    public static boolean checkXSSAndSql(String value) {
	        boolean flag = false;
	        if (value != null) {
	            // NOTE: It's highly recommended to use the ESAPI library and
	            // uncomment the following line to
	            // avoid encoded attacks.
	            // value = ESAPI.encoder().canonicalize(value);
	            // Avoid null characters
	            /** value = value.replaceAll("", ""); ***/
	            // Avoid anything between script tags
	            Pattern scriptPattern = Pattern.compile(
	                    "<[\r\n| | ]*script[\r\n| | ]*>(.*?)</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE);
	            flag = scriptPattern.matcher(value).find();
	            if (flag) {
	                return flag;
	            }
	            // Avoid anything in a
	            // src="http://www.yihaomen.com/article/java/..." type of
	            // e-xpression
	            scriptPattern = Pattern.compile("src[\r\n| | ]*=[\r\n| | ]*[\\\"|\\\'](.*?)[\\\"|\\\']",
	                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	            flag = scriptPattern.matcher(value).find();
	            if (flag) {
	                return flag;
	            }
	            // Remove any lonesome </script> tag
	            scriptPattern = Pattern.compile("</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE);
	            flag = scriptPattern.matcher(value).find();
	            if (flag) {
	                return flag;
	            }
	            // Remove any lonesome <script ...> tag
	            scriptPattern = Pattern.compile("<[\r\n| | ]*script(.*?)>",
	                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	            flag = scriptPattern.matcher(value).find();
	            if (flag) {
	                return flag;
	            }
	            // Avoid eval(...) expressions
	            scriptPattern = Pattern.compile("eval\\((.*?)\\)",
	                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	            flag = scriptPattern.matcher(value).find();
	            if (flag) {
	                return flag;
	            }
	            // Avoid e-xpression(...) expressions
	            scriptPattern = Pattern.compile("e-xpression\\((.*?)\\)",
	                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	            flag = scriptPattern.matcher(value).find();
	            if (flag) {
	                return flag;
	            }
	            // Avoid javascript:... expressions
	            scriptPattern = Pattern.compile("javascript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE);
	            flag = scriptPattern.matcher(value).find();
	            if (flag) {
	                return flag;
	            }
	            // Avoid vbscript:... expressions
	            scriptPattern = Pattern.compile("vbscript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE);
	            flag = scriptPattern.matcher(value).find();
	            if (flag) {
	                return flag;
	            }
	            // Avoid onload= expressions
	            scriptPattern = Pattern.compile("onload(.*?)=",
	                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	            flag = scriptPattern.matcher(value).find();
	            if (flag) {
	                return flag;
	            }
	        }
	        return flag;
	    }
 
	    public final boolean checkParameter() {
	        Map<String, String[]> submitParams = new HashMap(parameterMap);
	        Set<String> submitNames = submitParams.keySet();
	        for (String submitName : submitNames) {
	            Object submitValues = submitParams.get(submitName);
	            if ((submitValues instanceof String)) {
	                if (checkXSSAndSql((String) submitValues)) {
	                    return true;
	                }
	            } else if ((submitValues instanceof String[])) {
	                for (String submitValue : (String[])submitValues){
	                    if (checkXSSAndSql(submitValue)) {
	                        return true;
	                    }
	                }
	            }
	        }
	        return false;
	    }
	    
	    @Override    
	    public BufferedReader getReader() throws IOException {    
	        return new BufferedReader(new InputStreamReader(getInputStream()));    
	    }    
	    
	    @Override    
	    public ServletInputStream getInputStream() throws IOException {    
	        final ByteArrayInputStream bais = new ByteArrayInputStream(body);    
	        return new ServletInputStream() {    
	    
	            @Override    
	            public int read() throws IOException {    
	                return bais.read();    
	            }  
 
	            @Override  
	            public boolean isFinished() {  
	                // TODO Auto-generated method stub  
	                return false;  
	            }  
 
	            @Override  
	            public boolean isReady() {  
	                // TODO Auto-generated method stub  
	                return false;  
	            }  
 
	            @Override  
	            public void setReadListener(ReadListener arg0) {  
	                // TODO Auto-generated method stub  
	                  
	            }    
	        };    
	    }
}

//自定义Filter
package com.java265.sql.filter;
 
import java.io.BufferedReader;
import java.io.IOException;
import java.io.PrintWriter;
 
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
 
import org.apache.commons.lang3.StringUtils;
 
import com.alibaba.fastjson.JSON;
 
public class XssAndSqlFilter implements Filter {
 
    @Override
    public void destroy() {
        // TODO Auto-generated method stub
 
    }
 
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        String method = "GET";
        String param = "";
        XssAndSqlHttpServletRequestWrapper xssRequest = null;
        if (request instanceof HttpServletRequest) {
            method = ((HttpServletRequest) request).getMethod();
            xssRequest = new XssAndSqlHttpServletRequestWrapper((HttpServletRequest) request);
        }
        if ("POST".equalsIgnoreCase(method)) {
            param = this.getBodyString(xssRequest.getReader());
            if(StringUtils.isNotBlank(param)){
                if(xssRequest.checkXSSAndSql(param)){
                    response.setCharacterEncoding("UTF-8");
                    response.setContentType("application/json;charset=UTF-8");
                    PrintWriter out = response.getWriter();
                    out.write(JSON.toJSONString("您所访问的页面请求中有违反安全规则元素存在,拒绝访问!"));
                    return;
                }
            }
        }
        if (xssRequest.checkParameter()) {
            response.setCharacterEncoding("UTF-8");
            response.setContentType("application/json;charset=UTF-8");
            PrintWriter out = response.getWriter();
            out.write(JSON.toJSONString("您所访问的页面请求中有违反安全规则元素存在,拒绝访问!"));
            return;
        }
        chain.doFilter(xssRequest, response);
    }
 
    @Override
    public void init(FilterConfig arg0) throws ServletException {
        // TODO Auto-generated method stub
 
    }
 
    // 获取request请求body中参数
    public static String getBodyString(BufferedReader br) {
        String inputLine;
        String str = "";
        try {
            while ((inputLine = br.readLine()) != null) {
                str += inputLine;
            }
            br.close();
        } catch (IOException e) {
            System.out.println("IOException: " + e);
        }
        return str;
 
    }
 
}

//注册过滤器XssAndSqlFilter

@Configuration
public class FilterConfig {
    @Bean
    public FilterRegistrationBean xssFilterRegistration() {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setDispatcherTypes(DispatcherType.REQUEST);
        registration.setFilter(new XssAndSqlFilter());
        registration.addUrlPatterns("/*");
        registration.setName("xssAndSqlFilter");
        registration.setOrder(Integer.MAX_VALUE);
        Map<String, String> initParameters = Maps.newHashMap();
        //-excludes用于配置不需要参数过滤的请求url;
        initParameters.put("excludes", "/swagger-ui.html/**,/webjars/**,/v2/**,/swagger-resources/**");
        //-isIncludeRichText默认为true,主要用于设置富文本内容是否需要过滤。
        initParameters.put("isIncludeRichText", "false");
        return registration;
    }
}
版权声明

本文仅代表作者观点,不代表本站立场。
本文系作者授权发表,未经许可,不得转载。

本文链接: https://www.Java265.com/JavaFramework/SpringBoot/202208/4165.html

最近发表

热门文章

好文推荐

Java265.com

https://www.java265.com

站长统计|粤ICP备14097017号-3

Powered By Java265.com信息维护小组

使用手机扫描二维码

关注我们看更多资讯

java爱好者