Addressing SQL Blinds and cross-site scripting attacks

Source: Internet
Author: User

Today's test with IBM's AppScan, the system testing, found the system's security vulnerabilities, respectively, SQL Blind and cross-site scripting attacks, both of these security risks are the use of parameters passed the vulnerability of the opportunity to attack the system. As follows:

Solution (see example on the Web): Write a filter yourself and use filter to filter requests made by your browser. Filter some keywords for each POST request parameter and replace it with a secure one, such as:< > ' \/# &. The method is to implement a custom httpservletrequestwrapper, and then call it in the Filter, replace the GetParameter function, the steps are as follows.

First, add a Xsshttpservletrequestwrapper class in the background with the following code.

 Packagecom.iss.sas.web.base;Importjavax.servlet.http.HttpServletRequest;ImportJavax.servlet.http.HttpServletRequestWrapper; Public classXsshttpservletrequestwrapperextendsHttpservletrequestwrapper { PublicXsshttpservletrequestwrapper (HttpServletRequest servletrequest) {Super(ServletRequest); }     Publicstring[] getparametervalues (String parameter) {string[] values=Super. getparametervalues (parameter); if(values==NULL)  {                  return NULL; }      intCount =values.length; String[] Encodedvalues=NewString[count];  for(inti = 0; I < count; i++) {Encodedvalues[i]=CLEANXSS (Values[i]); }      returnencodedvalues; }     Publicstring GetParameter (string parameter) {String value=Super. GetParameter (parameter); if(Value = =NULL) {                 return NULL; }          returnCLEANXSS (value); }     Publicstring GetHeader (string name) {String Value=Super. GetHeader (name); if(Value = =NULL)            return NULL; returnCLEANXSS (value); }    Privatestring Cleanxss (String value) {//You'll need to remove the spaces from the HTML entities belowValue = Value.replaceall ("<", "& lt;"). ReplaceAll (">", "& gt;"); Value= Value.replaceall ("\ \ (", "& #40;"). ReplaceAll ("\ \)", "& #41;"); Value= Value.replaceall ("'", "& #39;")); Value= Value.replaceall ("eval\\ (. *) \ \)", ""); Value= Value.replaceall ("[\\\" \\\ '][\\s]*javascript: (. *) [\\\ "\\\ ']", "\" \ ""); Value= Value.replaceall ("Script", "" "); returnvalue; }}

Then, also add a filter xssfilter in the background, the specific code is as follows.

 Packagecom.iss.sas.web.base;Importjava.io.IOException;ImportJavax.servlet.Filter;ImportJavax.servlet.FilterChain;ImportJavax.servlet.FilterConfig;Importjavax.servlet.ServletException;Importjavax.servlet.ServletRequest;ImportJavax.servlet.ServletResponse;Importjavax.servlet.http.HttpServletRequest; Public classXssfilterImplementsFilter {filterconfig filterconfig=NULL;  Public voidInit (Filterconfig filterconfig)throwsservletexception { This. Filterconfig =Filterconfig; }         Public voiddestroy () { This. Filterconfig =NULL; }         Public voidDoFilter (servletrequest request, servletresponse response, Filterchain chain)throwsIOException, servletexception {chain.dofilter (NewXsshttpservletrequestwrapper ((httpservletrequest) request), response); }}

Finally, in Web. XML, the getparameter of all requests will be replaced, and if the parameters contain sensitive words, they will be replaced.

<filter>     <filter-name>XssSqlFilter</filter-name>     <filter-class> com.iss.sas.web.base.xssfilter</filter-class>  </filter>  <filter-mapping>     <filter-name>XssSqlFilter</filter-name>     <url-pattern>/*</ url-pattern>     <dispatcher>REQUEST</dispatcher>  </filter-mapping>

Summary: Although MyBatis uses placeholders to receive parameter passing, it provides a good solution for SQL blinds, but this only avoids part of the problem, the user can also use parameters as a pointcut to attack the site illegally, so also consider the parameters of the dangerous characters to filter and intercept.

Addressing SQL Blinds and cross-site scripting attacks

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.