cookie跨站脚本漏洞解决方案
近日项目碰到一个跨脚本注入的问题:
这安全测评工具也是厉害了,直接将脚本注入到cookie里头,以前没有碰到这样的情况。
之前写过一篇文章过滤跨脚本注入的问题。《浅谈XSS攻击原理与解决方法》关于跨脚本注入的问题,不晓得原理的同学可以看下。但是里头没有处理cookie注入的问题。接下来介绍下如何处理。
关键代码在这里:首先获取到cookie,检查下是否有敏感字符,如果有的话,就进行替换。
//防止cookie跨站注入问题,替换敏感字符。
Cookie[] cookies = ((HttpServletRequest) request).getCookies();
if(cookies!=null) {
for(Cookie cookie: cookies){
if(CookieFilterUtil.isValidate(cookie.getValue())){
cookie.setValue(CookieFilterUtil.xssClean(cookie.getValue()));
Cookie newCookie=cookie;
cookie.setMaxAge();
((HttpServletResponse) response).addCookie(newCookie);
break;
}
}
}
CookieFilter.java
public class CookieFilterUtil {
//将敏感字符进行替换
public static String xssClean(String value) {
//ClassLoaderUtils.getResourceAsStream("classpath:antisamy-slashdot.xml", XssHttpServletRequestWrapper.class)
if (value != null) {
// NOTE: It's highly recommended to use the ESAPI library and
// uncomment the following line to
// avoid encoded attacks.
// value = encoder.canonicalize(value);
value = value.replaceAll("\0", "");
// Avoid anything between script tags
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>",
Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid anything in a src='...' type of expression
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid anything in a href='...' type of expression
scriptPattern = Pattern.compile("href[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome </script> tag
scriptPattern = Pattern.compile("</script>",
Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome <script ...> tag
scriptPattern = Pattern.compile("<script(.*?)>",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid eval(...) expressions
scriptPattern = Pattern.compile("eval\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid expression(...) expressions
scriptPattern = Pattern.compile("expression\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid javascript:... expressions
scriptPattern = Pattern.compile("javascript:",
Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid vbscript:... expressions
scriptPattern = Pattern.compile("vbscript:",
Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid onload= expressions
scriptPattern = Pattern.compile("onload(.*?)=",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
}
return value;
}
//校验是否含有敏感字符
public static boolean isValidate(String value) {
//ClassLoaderUtils.getResourceAsStream("classpath:antisamy-slashdot.xml", XssHttpServletRequestWrapper.class)
boolean flag=false;
if (value != null) {
// NOTE: It's highly recommended to use the ESAPI library and
// uncomment the following line to
// avoid encoded attacks.
// value = encoder.canonicalize(value);
value = value.replaceAll("\0", "");
// Avoid anything between script tags
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>",
Pattern.CASE_INSENSITIVE);
if(scriptPattern.matcher(value).find()){
flag=true;
return flag;
}
// Avoid anything in a src='...' type of expression
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
if(scriptPattern.matcher(value).find()){
flag=true;
return flag;
}
// Avoid anything in a href='...' type of expression
scriptPattern = Pattern.compile("href[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
if(scriptPattern.matcher(value).find()){
flag=true;
return flag;
}
// Remove any lonesome </script> tag
scriptPattern = Pattern.compile("</script>",
Pattern.CASE_INSENSITIVE);
if(scriptPattern.matcher(value).find()){
flag=true;
return flag;
}
// Remove any lonesome <script ...> tag
scriptPattern = Pattern.compile("<script(.*?)>",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
if(scriptPattern.matcher(value).find()){
flag=true;
return flag;
}
// Avoid eval(...) expressions
scriptPattern = Pattern.compile("eval\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
if(scriptPattern.matcher(value).find()){
flag=true;
return flag;
}
// Avoid expression(...) expressions
scriptPattern = Pattern.compile("expression\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
if(scriptPattern.matcher(value).find()){
flag=true;
return flag;
}
// Avoid javascript:... expressions
scriptPattern = Pattern.compile("javascript:",
Pattern.CASE_INSENSITIVE);
if(scriptPattern.matcher(value).find()){
flag=true;
return flag;
}
// Avoid vbscript:... expressions
scriptPattern = Pattern.compile("vbscript:",
Pattern.CASE_INSENSITIVE);
if(scriptPattern.matcher(value).find()){
flag=true;
return flag;
}
// Avoid onload= expressions
scriptPattern = Pattern.compile("onload(.*?)=",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
if(scriptPattern.matcher(value).find()){
flag=true;
return flag;
}
}
return flag;
}
}
XssFilter.java
public class XssFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
//防止cookie跨站注入问题,替换敏感字符。
boolean flag=false;
Cookie[] cookies = ((HttpServletRequest) request).getCookies();
if(cookies!=null) {
for(Cookie cookie: cookies){
if(CookieFilterUtil.isValidate(cookie.getValue())){
flag=true;
cookie.setValue(CookieFilterUtil.xssClean(cookie.getValue()));
Cookie newCookie=cookie;
cookie.setMaxAge();
((HttpServletResponse) response).addCookie(newCookie);
break;
}
}
}
//如果存在跨站注入问题,跳转到登录页。
if(!flag){
String path = ((HttpServletRequest) request).getContextPath();
String protAndPath = request.getServerPort() == ? "" : ":"
+ request.getServerPort();
String basePath = request.getScheme() + "://"
+ request.getServerName() + protAndPath + path + "/";
String returnUrl = basePath+"login.do";
request.setCharacterEncoding("UTF-8");
response.setContentType("text/html; charset=UTF-8"); // 转码
response.getWriter().println(
"<script language=\"javascript\">if(window.opener==null){window.top.location.href=\""
+ returnUrl
+ "\";}else{window.opener.top.location.href=\""
+ returnUrl
+ "\";window.close();}</script>");
}else{
chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
}
}
@Override
public void destroy() {
}
}
这儿的操作如果有敏感字符,那么就调整到登录首页,删除cookie,当然也可以不处理,像以下代码这样
//防止cookie跨站注入问题,替换敏感字符。
Cookie[] cookies = ((HttpServletRequest) request).getCookies();
if(cookies!=null) {
for(Cookie cookie: cookies){
if(CookieFilterUtil.isValidate(cookie.getValue())){
cookie.setValue(CookieFilterUtil.xssClean(cookie.getValue()));
Cookie newCookie=cookie;
cookie.setMaxAge();
((HttpServletResponse) response).addCookie(newCookie);
break;
}
}
}
chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
xss过滤器实现XssHttpServletRequestWrapper.java
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@SuppressWarnings("rawtypes")
public Map<String,String[]> getParameterMap(){
Map<String,String[]> request_map = super.getParameterMap();
Iterator iterator = request_map.entrySet().iterator();
while(iterator.hasNext()){
Map.Entry me = (Map.Entry)iterator.next();
String[] values = (String[])me.getValue();
for(int i = ; i < values.length ; i++){
values[i]=HtmlRegexpUtil.fiterHtmlByTagArr(values[i]);
values[i] = xssClean(values[i]);
}
}
return request_map;
}
public String[] getParameterValues(String paramString)
{
String[] arrayOfString1 = super.getParameterValues(paramString);
if (arrayOfString1 == null)
return null;
int i = arrayOfString1.length;
String[] arrayOfString2 = new String[i];
for (int j = ; j < i; j++){
arrayOfString1[j]=HtmlRegexpUtil.fiterHtmlByTagArr(arrayOfString1[j]);
arrayOfString2[j] = xssClean(arrayOfString1[j]);
}
return arrayOfString2;
}
public String getParameter(String paramString)
{
String str = super.getParameter(paramString);
if (str == null)
return null;
return xssClean(str);
}
public String getHeader(String paramString)
{
String str = super.getHeader(paramString);
if (str == null)
return null;
str = str.replaceAll("\r|\n", "");
return xssClean(str);
}
private String xssClean(String value) {
//ClassLoaderUtils.getResourceAsStream("classpath:antisamy-slashdot.xml", XssHttpServletRequestWrapper.class)
if (value != null) {
// NOTE: It's highly recommended to use the ESAPI library and
// uncomment the following line to
// avoid encoded attacks.
// value = encoder.canonicalize(value);
value = value.replaceAll("\0", "");
// Avoid anything between script tags
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>",
Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid anything in a src='...' type of expression
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid anything in a href='...' type of expression
scriptPattern = Pattern.compile("href[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome </script> tag
scriptPattern = Pattern.compile("</script>",
Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome <script ...> tag
scriptPattern = Pattern.compile("<script(.*?)>",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid eval(...) expressions
scriptPattern = Pattern.compile("eval\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid expression(...) expressions
scriptPattern = Pattern.compile("expression\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid javascript:... expressions
scriptPattern = Pattern.compile("javascript:",
Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid vbscript:... expressions
scriptPattern = Pattern.compile("vbscript:",
Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid onload= expressions
scriptPattern = Pattern.compile("onload(.*?)=",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE
| Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
}
return value;
}
}
cookie跨站脚本漏洞解决方案的更多相关文章
- WordPress FunCaptcha插件跨站脚本漏洞
漏洞名称: WordPress FunCaptcha插件跨站脚本漏洞 CNNVD编号: CNNVD-201311-431 发布时间: 2013-11-29 更新时间: 2013-11-29 危害等级: ...
- WordPress Checkout插件跨站脚本漏洞和任意文件上传漏洞
漏洞名称: WordPress Checkout插件跨站脚本漏洞和任意文件上传漏洞 CNNVD编号: CNNVD-201311-015 发布时间: 2013-11-04 更新时间: 2013-11-0 ...
- WordPress Tweet Blender插件跨站脚本漏洞
漏洞名称: WordPress Tweet Blender插件跨站脚本漏洞 CNNVD编号: CNNVD-201310-645 发布时间: 2013-10-30 更新时间: 2013-10-30 危害 ...
- WordPress WooCommerce ‘hide-wc-extensions-message’参数跨站脚本漏洞
漏洞名称: WordPress WooCommerce ‘hide-wc-extensions-message’参数跨站脚本漏洞 CNNVD编号: CNNVD-201310-501 发布时间: 201 ...
- WordPress Videowall插件‘page_id’参数跨站脚本漏洞
漏洞名称: WordPress Videowall插件‘page_id’参数跨站脚本漏洞 CNNVD编号: CNNVD-201310-502 发布时间: 2013-10-23 更新时间: 2013-1 ...
- WordPress MORE+主题‘prettyPhoto’跨站脚本漏洞
漏洞名称: WordPress MORE+主题‘prettyPhoto’跨站脚本漏洞 CNNVD编号: CNNVD-201310-284 发布时间: 2013-10-23 更新时间: 2013-10- ...
- WordPress Bradesco Gateway插件‘falha.php’跨站脚本漏洞
漏洞名称: WordPress Bradesco Gateway插件‘falha.php’跨站脚本漏洞 CNNVD编号: CNNVD-201309-451 发布时间: 2013-09-26 更新时间: ...
- WordPress Sharebar ‘page’参数跨站脚本漏洞
漏洞名称: WordPress Sharebar ‘page’参数跨站脚本漏洞 CNNVD编号: CNNVD-201309-468 发布时间: 2013-09-26 更新时间: 2013-09-26 ...
- WordPress mb.miniAudioPlayer插件多个跨站脚本漏洞
漏洞名称: WordPress mb.miniAudioPlayer插件多个跨站脚本漏洞 CNNVD编号: CNNVD-201309-469 发布时间: 2013-09-26 更新时间: 2013-0 ...
随机推荐
- Eclipse调试C++(Cocos2dx Android )
原文链接: http://www.cnblogs.com/zouzf/p/4202537.html 先说windows下的,mac下的在最后 环境:win8.1.java 1.5.Eclipse 4. ...
- Tomcat:解决Tomcat可以在eclipse启动,却无法显示默认页面的操作
解决Tomcat可以在eclipse启动,却无法显示默认页面的操作 今天在eclipse中配置好tomcat后访问不到它的主页,但是能运行自己的项目,一直找不到原因,百度之后最后解决了这个问题,总结如 ...
- 基于开源库jsoncpp的json字符串解析
json(JavaScript Object Notation)是一种轻量级高效数据交换格式.相比于XML,其更加简洁,解析更加方便.在实习期间,我负责的程序模块,多次使用到json进行数据传输.由于 ...
- nginx限制ip并发数
nginx限制ip并发数,也是说限制同一个ip同时连接服务器的数量 1.添加limit_zone 这个变量只能在http使用 vi /usr/local/nginx/conf/nginx.conf l ...
- Windows下使用MinGW在命令行编译运行C++程序
之前学习C语言的时候都是用IDE类似CodeBlocks的工具写完直接编译运行的,今天突然心血来潮,自己下一个编译器,在命令行下,编译运行C++程序,了解一下编译过程. 一.安装编译器 首先你需要下载 ...
- mac用ssh连接linux云服务器中文乱码或无法显示解决
问题1:服务器是ubuntu16.04,用mac自带的ssh连接后无法正常输入中文? 解:这种情况一般是终端和服务器的字符集不匹配,MacOSX下默认的是utf8字符集. 打开编辑 .bashrc 文 ...
- 在windows x64上部署使用Redis
一.下载Redis 下载地址:https://github.com/MSOpenTech/redis/releases 二.安装Redis 将下载文件解压到D:\redis 后,可见: 三.启动Red ...
- 命令行连接db2数据库
在cmd界面执行db2cmd命令 然后在db2cmd界面执行db2命令 然后执行 CONNECT TO UIBS USER DB2INST1 USING 123456命令
- tomcat学习篇
要求: 为Apache HTTP Server服务器添加JSP网页支持. 能够访问Tomcat容器的Web管理界面,以便管理各种JSP.Servelet应用. u 知识提示 在各种企业级网站应用系统中 ...
- mongodb分片介绍—— 基于范围(数值型)的分片 或者 基于哈希的分片
数据分区 MongoDB中数据的分片是以集合为基本单位的,集合中的数据通过 片键 被分成多部分. 片键 对集合进行分片时,你需要选择一个 片键 , shard key 是每条记录都必须包含的,且建立了 ...