Addressing SQL Blinds and cross-site scripting attacks

Today's test with IBM's AppScan, the system testing, found the system's security vulnerabilities, respectively, SQL Blind and cross-site scripting attacks, both of these security risks are the use of parameters passed the vulnerability of the opportunity to attack the system. As follows:

Solution (see example on the Web): Write a filter yourself and use filter to filter requests made by your browser. Filter some keywords for each POST request parameter and replace it with a secure one, such as:< > ' \/# &. The method is to implement a custom httpservletrequestwrapper, and then call it in the Filter, replace the GetParameter function, the steps are as follows.

First, add a Xsshttpservletrequestwrapper class in the background with the following code.

 Packagecom.iss.sas.web.base;Importjavax.servlet.http.HttpServletRequest;ImportJavax.servlet.http.HttpServletRequestWrapper; Public classXsshttpservletrequestwrapperextendsHttpservletrequestwrapper { PublicXsshttpservletrequestwrapper (HttpServletRequest servletrequest) {Super(ServletRequest); }     Publicstring[] getparametervalues (String parameter) {string[] values=Super. getparametervalues (parameter); if(values==NULL)  {                  return NULL; }      intCount =values.length; String[] Encodedvalues=NewString[count];  for(inti = 0; I < count; i++) {Encodedvalues[i]=CLEANXSS (Values[i]); }      returnencodedvalues; }     Publicstring GetParameter (string parameter) {String value=Super. GetParameter (parameter); if(Value = =NULL) {                 return NULL; }          returnCLEANXSS (value); }     Publicstring GetHeader (string name) {String Value=Super. GetHeader (name); if(Value = =NULL)            return NULL; returnCLEANXSS (value); }    Privatestring Cleanxss (String value) {//You'll need to remove the spaces from the HTML entities belowValue = Value.replaceall ("<", "& lt;"). ReplaceAll (">", "& gt;"); Value= Value.replaceall ("\ \ (", "& #40;"). ReplaceAll ("\ \)", "& #41;"); Value= Value.replaceall ("'", "& #39;")); Value= Value.replaceall ("eval\\ (. *) \ \)", ""); Value= Value.replaceall ("[\\\" \\\ '][\\s]*javascript: (. *) [\\\ "\\\ ']", "\" \ ""); Value= Value.replaceall ("Script", "" "); returnvalue; }}

Then, also add a filter xssfilter in the background, the specific code is as follows.

 Packagecom.iss.sas.web.base;Importjava.io.IOException;ImportJavax.servlet.Filter;ImportJavax.servlet.FilterChain;ImportJavax.servlet.FilterConfig;Importjavax.servlet.ServletException;Importjavax.servlet.ServletRequest;ImportJavax.servlet.ServletResponse;Importjavax.servlet.http.HttpServletRequest; Public classXssfilterImplementsFilter {filterconfig filterconfig=NULL;  Public voidInit (Filterconfig filterconfig)throwsservletexception { This. Filterconfig =Filterconfig; }         Public voiddestroy () { This. Filterconfig =NULL; }         Public voidDoFilter (servletrequest request, servletresponse response, Filterchain chain)throwsIOException, servletexception {chain.dofilter (NewXsshttpservletrequestwrapper ((httpservletrequest) request), response); }}

Finally, in Web. XML, the getparameter of all requests will be replaced, and if the parameters contain sensitive words, they will be replaced.

<filter>     <filter-name>XssSqlFilter</filter-name>     <filter-class> com.iss.sas.web.base.xssfilter</filter-class>  </filter>  <filter-mapping>     <filter-name>XssSqlFilter</filter-name>     <url-pattern>/*</ url-pattern>     <dispatcher>REQUEST</dispatcher>  </filter-mapping>

Summary: Although MyBatis uses placeholders to receive parameter passing, it provides a good solution for SQL blinds, but this only avoids part of the problem, the user can also use parameters as a pointcut to attack the site illegally, so also consider the parameters of the dangerous characters to filter and intercept.

Addressing SQL Blinds and cross-site scripting attacks