Java protection against cross-site scripting attacks (XSS)

Network Center Tip site has a large number of cross-site scripting attacks (XSS) vulnerability, after reviewing the code, that is, the binding variables in the JSP is not processed directly write, and the whole project is too many, because it is many years ago, not a change, referring to the online information, The data parameters are processed by adding filter.

1. Download Lucy-xss-servlet-filter:https://github.com/naver/lucy-xss-servlet-filter on GitHub

2. Open the project Lucy-xss-servlet-filter and export the download code as a jar package.

Project output to jar package See Tutorial: http://blog.csdn.net/yahohi/article/details/6888559

3. Put the generated jar package and the jar package referenced by Lucy-xss-servlet-filter into the/web-info/lib directory of the vulnerability Web site or Tomcat's lib directory.

4. Add a reference to the Lucy-xss-servlet-filter in Web. XML of the vulnerability website.

...    <Filter>        <Filter-name>Xssescapeservletfilter</Filter-name>        <Filter-class>Com.navercorp.lucy.security.xss.servletfilter.XssEscapeServletFilter</Filter-class>    </Filter>    <filter-mapping>        <Filter-name>Xssescapeservletfilter</Filter-name>        <Url-pattern>/*</Url-pattern>    </filter-mapping>...

5, in the classess directory into the Lucy-xss-servlet-filter-rule.xml.

1 <?XML version= "1.0" encoding= "UTF-8"?>2 <Configxmlns= "Http://www.navercorp.com/lucy-xss-servlet">3    <Defenders>4        <!--xsspreventer?? -5        <Defender>6            <name>Xsspreventerdefender</name>7            <class>Com.navercorp.lucy.security.xss.servletfilter.defender.XssPreventerDefender</class>8        </Defender>9 Ten        <!--xsssaxfilter?? - One        <Defender> A            <name>Xsssaxfilterdefender</name> -            <class>Com.navercorp.lucy.security.xss.servletfilter.defender.XssSaxFilterDefender</class> -            <Init-param> the                <Param-value>Lucy-xss-sax.xml</Param-value>   <!--lucy-xss-filter sax????? - -                <Param-value>False</Param-value>        <!--?????????????,????? false?? - -            </Init-param> -        </Defender> +  -        <!--xssfilter?? - +        <Defender> A            <name>Xssfilterdefender</name> at            <class>Com.navercorp.lucy.security.xss.servletfilter.defender.XssFilterDefender</class> -            <Init-param> -                <Param-value>Lucy-xss.xml</Param-value>    <!--lucy-xss-filter dom????? - -                <Param-value>False</Param-value>         <!--?????????????,????? false?? - -            </Init-param> -        </Defender> in    </Defenders> -  to     <!--default defender??,??? defender?????? Default defender?????????. - +     <default> -         <Defender>Xsspreventerdefender</Defender> the     </default> *  $     <!--global?????? -Panax Notoginseng     <Global> -         <!--?? URL?????? globalparameter????????????? the ?? globalprefixparameter??????????????????. - +         <params> A             <paramname= "Globalparameter"Usedefender= "false" /> the             <paramname= "Globalprefixparameter"Useprefix= "true"Usedefender= "false" /> +         </params> -     </Global> $  $     <!--URL??????? - -     <Url-rule-set> -         the        <!--url disable? true????? URL?????????????????. - -        <Url-rule>Wuyi            <URLDisable= "true">/disableurl1.do</URL> the        </Url-rule> -         Wu         <!--url1 url1parameter??????????? url1prefixparameter??????????????????. - -         <Url-rule> About             <URL>/url1.do</URL> $             <params> -                 <paramname= "Url1parameter"Usedefender= "false" /> -                 <paramname= "Url1prefixparameter"Useprefix= "true"Usedefender= "false" /> -             </params> A         </Url-rule> +          the         <!--url2 url2parameter1????????? Url2parameter2 xsssaxfilterdefender?????????.  - -         <Url-rule> $             <URL>/url2.do</URL> the             <params> the                 <paramname= "Url2parameter1"Usedefender= "false" /> the                 <paramname= "Url2parameter2"> the                     <Defender>Xsssaxfilterdefender</Defender> -                 </param> in             </params> the         </Url-rule> the     </Url-rule-set> About </Config>

6. Restart the Tomcat test site, inject script in parameters no longer prompt for XSS warning, but direct error.

Problem solving. The advantage is that you don't have to change the original site.

Reference:

Web security Combat (V) Another solution to XSS attacks (recommended)-CSDN Blog

Java (SSH) project to prevent XSS attack method summary

Java protection against cross-site scripting attacks (XSS)