Web security Combat (V) The second solution to XSS attacks (recommended)

Order
Speaking of XSS attacks, there are two articles in front of this matter, and this time to come out, mainly for the recent work of some new problems. So how did you solve the problem before? Why change the solution again? The following is specific to share with you.

Old scheme
The company's Test team found that the problem, asked for a speedy resolution, on-line search for a lot of relevant information, but also read the basic security aspects of the book, based on the principle of XSS attack, wrote a filter, and in the filter added to the various requests processing code. The first is to intercept requests made by the browser, and then to filter the intercepted requests, get a list of parameters, the table of values (including the form submission), and then the critical character of these parameters of the filter processing, the process is divided into two cases.
One of them is to convert the critical characters, retain the original semantics, in due time to restore, of course, in such a case, the critical character is still there, just a relatively safe form of change. The advantage of such a situation is that it guarantees the primitive nature of the request, but generates some unnecessary spam information to the database or file system. Why do you say that, because ordinary users in normal operation will not include these illegal characters, only in the case of illegal intrusion will occur in this situation, and for the conversion of critical characters is an indirect protection measures.
In another case, instead of converting the critical character, the critical character in the request is filtered, the request is purified, and the illegal character is filtered out, so that the entry into the database or file system is a legitimate statement. Such a situation will also have his pros and cons. For example, in the process of filtering, it is possible to clean up some of the user's normal request parameters, so that the request is not guaranteed to be primitive. But the security aspect of the system has been greatly improved. In order to avoid the user's request distortion, we can do is to avoid the user can enter the special characters, in the register, login, or other requests, specify the user can use special characters, to those who do not advocate the use of characters to filter and processing.

Problem
After the old scheme was submitted to the Test team, a very large part of the XSS attack problem no longer exists, but there is another problem, in the process of logging in, occasionally the verification code is filtered out, and some of the occasional URL will be omitted, although the Web. XML configured a global request, But the problem still arises. The report from the Test team showed that there was a small amount of XSS attacks that I could resolve as soon as possible.
In response to this problem, I also studied the problem area of the source code, and combined with their own written xssfilter, found 2 points of the problem.
firstly, is the background of the verification logic is not complete, for the submitted request, and did not do the corresponding processing.
secondly, it is Xssfilter wrote that there is a problem, as I mentioned above the situation one, only the critical character of the conversion, and did not fundamentally solve the problem.
As the saying goes, a prolonged illness becomes good doctor. Then, always thinking about one thing, the problem will always be solved with more than a multiplier.

New Solutions
For the problems that arise, I have two points to say, one is to the background of the verification logic, this does not need to be specific, nothing more than the integrity of the validation logic, for possible situations to abstract, extract the general validation logic, for the individual validation alone, but also to consider the code reusability.
Secondly, it is about the global processing of XSS attacks. Here are two ways to solve the problem, as detailed below.
programme I
Assuming that you encounter the situation, the user's input, the output has a clear limit, and for special characters also have clear provisions, then you can write a xssfilter, using the above mentioned case two, do not recommend the input of the special character filtering and cleanup, including some of the SQL injection of sensitive information, It's all going to be filtered out. The main Filter is on the web, and all you have to do is focus on your business, and then increase the processing of critical characters.
Scenario Two
Think of an old saying, standing on the shoulders of giants. Another option is to stand on the shoulders of giants. Recommend an open source plug-in, Xssproject, detailed author unknown. The corresponding source code is provided in the Googlecode. If you want to study, you can find it yourself. Here's how to integrate Xssproject into the project and make it available to us.
First, the project needs to introduce 3 jar packages such as Xssprotect-0.1.jar, Antlr-3.0.1.jar, Antlr-runtime-3.0.1.jar and so on.
then, encapsulate the request, code such as the following.

<span style= "Font-family:comic Sans MS;" >public class Newxsshttpservletrequestwrapper extends Httpservletrequestwrapper {httpservletrequest orgRequest =        Null;public Newxsshttpservletrequestwrapper (HttpServletRequest request) {super (request);    Orgrequest = Request;} /** * Covers the GetParameter method, which will be used to filter both the name and the number of the parameters. <br/> * Assuming you need to get the original value, get <br/> * Getparameternames,getparametervalues and GE via super.getparametervalues (name) Tparametermap may also need to overwrite */@Override public string GetParameter (string name) {System.out.println ("newxssfilt            The Value before ER processing = "+ super.getparametervalues (name)");        String value = Super.getparameter (Xssencode (name));        if (value = null) {value = Xssencode (value);                } System.out.println ("Newxssfilter value after processing =" + value);    return value; }/** * Covers the GetHeader method, which will be used to filter both the name and the reference number as XSS. <br/> * Assuming you need to get the original value, getting <br/> getheadernames through Super.getheaders (name) may alsoNeed to overwrite */@Override public string GetHeader (string name) {String value = Super.getheader (Xssencode (name        ));        if (value = null) {value = Xssencode (value);    } return value; }/** * Replaces the half-width character of easy-causing XSS vulnerability directly with the perfect corner character * * @param s * @return */private static String Xssencode (St        Ring s) {if (s = = NULL | | s.isempty ()) {return s;        } StringReader reader = new StringReader (s);        StringWriter writer = new StringWriter ();                        try {htmlparser.process (reader, writer, New Xssfilter (), true);        return writer.tostring ();        } catch (NullPointerException e) {return s;        } catch (Exception ex) {ex.printstacktrace ();            } return null; /** * Get the most original request * * @return */public HttpServletRequest getorgrequest () {RetuRN Orgrequest; }/** * Gets the static method of the most original request * * @return */public static httpservletrequest Getorgrequest (Httpservle Trequest req) {if (req instanceof Newxsshttpservletrequestwrapper) {return (NEWXSSHTTPSERVL        Etrequestwrapper) req). Getorgrequest ();    } return req; }}</span>

and then, create a filter newxssfilter.

<span style= "Font-family:comic Sans MS;" >public class Newxssfilter implements Filter {filterconfig filterconfig = null; @Overridepublic void Destroy () {this.fi Lterconfig = null;} @Overridepublic void DoFilter (ServletRequest request, Servletresponse Response,filterchain chain) throws IOException, servletexception {String Path = ((httpservletrequest) request). Getcontextpath (); String basepath = request.getscheme () + "://" + request.getservername () + ":" + request.getserverport () + path + "/";//HTT P Header Set Referer filter string referer = ((httpservletrequest) request). GetHeader ("Referer"); Refreshif (Referer! = null && referer.indexof (BasePath) < 0) {((httpservletrequest) request). Getrequestdispatcher ((httpservletrequest) request). Getrequesturi (()). Forward (((httpservletrequest) request), Response); System.out.println ("Referer not empty, referer >>>>>>>>>>>>>>" + referer);} Newxsshttpservletrequestwrapper xssrequest = new NewxsshttpservletrequestwraPper ((httpservletrequest) request); Chain.dofilter (xssrequest, response);} @Overridepublic void init (Filterconfig filterconfig) throws servletexception {this.filterconfig = Filterconfig;}} </span>

finally , configure the filter in Web. Xml.

<span style= "Font-family:comic Sans MS;" ><filter><filter-name>xsssqlfilter</filter-name><filter-class>com.***. Web.common.newxssfilter</filter-class></filter><filter-mapping><filter-name> xsssqlfilter</filter-name><url-pattern>/*</url-pattern><dispatcher>request</ Dispatcher></filter-mapping></span>

Conclusion
These are all the content, for the solution of XSS attack, write to share with you, personal advice to use xssproject to solve this problem. After all, Xssproject has provided a very good filtering and processing solution that you can expand by studying his code, assuming you need it. Finally, attach the three jar packages required by Xssproject.

xssproject Download

Web security Combat (V) The second solution to XSS attacks (recommended)