Today's test with IBM's AppScan, the system testing, found the system's security vulnerabilities, respectively, SQL Blind and cross-site scripting attacks, both of these security risks are the use of parameters passed the vulnerability of the opportunity to attack the system. As follows:
Solution (see example on the Web): Write a filter yourself and use filter to filter requests made by your browser. Filter some keywords for each POST request parameter and replace it with a secure one, such as:< > ' \/# &. The method is to implement a custom httpservletrequestwrapper, and then call it in the Filter, replace the GetParameter function, the steps are as follows.
First, add a Xsshttpservletrequestwrapper class in the background with the following code.
Packagecom.iss.sas.web.base;Importjavax.servlet.http.HttpServletRequest;ImportJavax.servlet.http.HttpServletRequestWrapper; Public classXsshttpservletrequestwrapperextendsHttpservletrequestwrapper { PublicXsshttpservletrequestwrapper (HttpServletRequest servletrequest) {Super(ServletRequest); } Publicstring[] getparametervalues (String parameter) {string[] values=Super. getparametervalues (parameter); if(values==NULL) { return NULL; } intCount =values.length; String[] Encodedvalues=NewString[count]; for(inti = 0; I < count; i++) {Encodedvalues[i]=CLEANXSS (Values[i]); } returnencodedvalues; } Publicstring GetParameter (string parameter) {String value=Super. GetParameter (parameter); if(Value = =NULL) { return NULL; } returnCLEANXSS (value); } Publicstring GetHeader (string name) {String Value=Super. GetHeader (name); if(Value = =NULL) return NULL; returnCLEANXSS (value); } Privatestring Cleanxss (String value) {//You'll need to remove the spaces from the HTML entities belowValue = Value.replaceall ("<", "& lt;"). ReplaceAll (">", "& gt;"); Value= Value.replaceall ("\ \ (", "& #40;"). ReplaceAll ("\ \)", "& #41;"); Value= Value.replaceall ("'", "& #39;")); Value= Value.replaceall ("eval\\ (. *) \ \)", ""); Value= Value.replaceall ("[\\\" \\\ '][\\s]*javascript: (. *) [\\\ "\\\ ']", "\" \ ""); Value= Value.replaceall ("Script", "" "); returnvalue; }}
Then, also add a filter xssfilter in the background, the specific code is as follows.
Packagecom.iss.sas.web.base;Importjava.io.IOException;ImportJavax.servlet.Filter;ImportJavax.servlet.FilterChain;ImportJavax.servlet.FilterConfig;Importjavax.servlet.ServletException;Importjavax.servlet.ServletRequest;ImportJavax.servlet.ServletResponse;Importjavax.servlet.http.HttpServletRequest; Public classXssfilterImplementsFilter {filterconfig filterconfig=NULL; Public voidInit (Filterconfig filterconfig)throwsservletexception { This. Filterconfig =Filterconfig; } Public voiddestroy () { This. Filterconfig =NULL; } Public voidDoFilter (servletrequest request, servletresponse response, Filterchain chain)throwsIOException, servletexception {chain.dofilter (NewXsshttpservletrequestwrapper ((httpservletrequest) request), response); }}
Finally, in Web. XML, the getparameter of all requests will be replaced, and if the parameters contain sensitive words, they will be replaced.
<filter> <filter-name>XssSqlFilter</filter-name> <filter-class> com.iss.sas.web.base.xssfilter</filter-class> </filter> <filter-mapping> <filter-name>XssSqlFilter</filter-name> <url-pattern>/*</ url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
Summary: Although MyBatis uses placeholders to receive parameter passing, it provides a good solution for SQL blinds, but this only avoids part of the problem, the user can also use parameters as a pointcut to attack the site illegally, so also consider the parameters of the dangerous characters to filter and intercept.
Addressing SQL Blinds and cross-site scripting attacks