Java protection against cross-site scripting attacks (XSS)

Source: Internet
Author: User

Network Center Tip site has a large number of cross-site scripting attacks (XSS) vulnerability, after reviewing the code, that is, the binding variables in the JSP is not processed directly write, and the whole project is too many, because it is many years ago, not a change, referring to the online information, The data parameters are processed by adding filter.

1. Download Lucy-xss-servlet-filter:https://github.com/naver/lucy-xss-servlet-filter on GitHub

2. Open the project Lucy-xss-servlet-filter and export the download code as a jar package.

Project output to jar package See Tutorial: http://blog.csdn.net/yahohi/article/details/6888559

3. Put the generated jar package and the jar package referenced by Lucy-xss-servlet-filter into the/web-info/lib directory of the vulnerability Web site or Tomcat's lib directory.

4. Add a reference to the Lucy-xss-servlet-filter in Web. XML of the vulnerability website.

...    <Filter>        <Filter-name>Xssescapeservletfilter</Filter-name>        <Filter-class>Com.navercorp.lucy.security.xss.servletfilter.XssEscapeServletFilter</Filter-class>    </Filter>    <filter-mapping>        <Filter-name>Xssescapeservletfilter</Filter-name>        <Url-pattern>/*</Url-pattern>    </filter-mapping>...

5, in the classess directory into the Lucy-xss-servlet-filter-rule.xml.

1 <?XML version= "1.0" encoding= "UTF-8"?>2 <Configxmlns= "Http://www.navercorp.com/lucy-xss-servlet">3    <Defenders>4        <!--xsspreventer?? -5        <Defender>6            <name>Xsspreventerdefender</name>7            <class>Com.navercorp.lucy.security.xss.servletfilter.defender.XssPreventerDefender</class>8        </Defender>9 Ten        <!--xsssaxfilter?? - One        <Defender> A            <name>Xsssaxfilterdefender</name> -            <class>Com.navercorp.lucy.security.xss.servletfilter.defender.XssSaxFilterDefender</class> -            <Init-param> the                <Param-value>Lucy-xss-sax.xml</Param-value>   <!--lucy-xss-filter sax????? - -                <Param-value>False</Param-value>        <!--?????????????,????? false?? - -            </Init-param> -        </Defender> +  -        <!--xssfilter?? - +        <Defender> A            <name>Xssfilterdefender</name> at            <class>Com.navercorp.lucy.security.xss.servletfilter.defender.XssFilterDefender</class> -            <Init-param> -                <Param-value>Lucy-xss.xml</Param-value>    <!--lucy-xss-filter dom????? - -                <Param-value>False</Param-value>         <!--?????????????,????? false?? - -            </Init-param> -        </Defender> in    </Defenders> -  to     <!--default defender??,??? defender?????? Default defender?????????. - +     <default> -         <Defender>Xsspreventerdefender</Defender> the     </default> *  $     <!--global?????? -Panax Notoginseng     <Global> -         <!--?? URL?????? globalparameter????????????? the ?? globalprefixparameter??????????????????. - +         <params> A             <paramname= "Globalparameter"Usedefender= "false" /> the             <paramname= "Globalprefixparameter"Useprefix= "true"Usedefender= "false" /> +         </params> -     </Global> $  $     <!--URL??????? - -     <Url-rule-set> -         the        <!--url disable? true????? URL?????????????????. - -        <Url-rule>Wuyi            <URLDisable= "true">/disableurl1.do</URL> the        </Url-rule> -         Wu         <!--url1 url1parameter??????????? url1prefixparameter??????????????????. - -         <Url-rule> About             <URL>/url1.do</URL> $             <params> -                 <paramname= "Url1parameter"Usedefender= "false" /> -                 <paramname= "Url1prefixparameter"Useprefix= "true"Usedefender= "false" /> -             </params> A         </Url-rule> +          the         <!--url2 url2parameter1????????? Url2parameter2 xsssaxfilterdefender?????????.  - -         <Url-rule> $             <URL>/url2.do</URL> the             <params> the                 <paramname= "Url2parameter1"Usedefender= "false" /> the                 <paramname= "Url2parameter2"> the                     <Defender>Xsssaxfilterdefender</Defender> -                 </param> in             </params> the         </Url-rule> the     </Url-rule-set> About </Config>

6. Restart the Tomcat test site, inject script in parameters no longer prompt for XSS warning, but direct error.

Problem solving. The advantage is that you don't have to change the original site.

Reference:

Web security Combat (V) Another solution to XSS attacks (recommended)-CSDN Blog

Java (SSH) project to prevent XSS attack method summary

Java protection against cross-site scripting attacks (XSS)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.