JSP spring boot/cloud uses filter to prevent XSS and cloudxss
JSP spring boot/cloud uses filter to prevent XSS
I. Preface
XSS (Cross-Site Scripting)
Cross-Site Scripting (XSS) attacks are not abbreviated to Cascading Style Sheet (CSS). Therefore, XSS attacks are abbreviated to Cross-Site Scripting (XSS) attacks. A malicious attacker inserts malicious Script code into a Web page. When a user browses this page, the Script code embedded in the Web page is executed to maliciously attack the user.
Ii. Ideas
Use filter-based interception to replace special characters with html-converted characters (for example, "<" to "<"). The points to intercept are as follows:
- Request Header (requestHeader)
- Request body requestBody
- Request Parameter requestParameter
Iii. Implementation
1. Create the XssHttpServletRequestWrapper class
When the request header is obtained, the target value is converted to html characters using the htmlutils.html Escape method to avoid malicious code from participating in subsequent processes.
/*** XssHttpServletRequestWrapper. java * Created at * Created by wangkang * Copyright (C) 2016 egridcloud.com, All rights reserved. */package com. egridcloud. udf. core. xss; import javax. servlet. http. httpServletRequest; import javax. servlet. http. httpServletRequestWrapper; import org. springframework. web. util. htmlUtils;/*** Description: Cross-Site Request prevention ** @ author wangkang **/public class XssHttpServletReques TWrapper extends HttpServletRequestWrapper {/*** Description: constructor ** @ param request object */public XssHttpServletRequestWrapper (HttpServletRequest request) {super (request );} @ Override public String getHeader (String name) {String value = super. getHeader (name); return HtmlUtils.html Escape (value) ;}@ Override public String getParameter (String name) {String value = super. getParameter (name); return Htm LUtils.html Escape (value) ;}@ Override public String [] getParameterValues (String name) {String [] values = super. getParameterValues (name); if (values! = Null) {int length = values. length; String [] escapseValues = new String [length]; for (int I = 0; I <length; I ++) {escapseValues [I] = HtmlUtils.html Escape (values [I]);} return escapseValues;} return super. getParameterValues (name );}}
2. Create XssStringJsonSerializer class
The second is where the json conversion is involved, and the conversion is also required, such as rerquestBody and responseBody.
/*** XssStringJsonSerializer. java * Created at * Created by wangkang * Copyright (C) 2016 egridcloud.com, All rights reserved. */package com. egridcloud. udf. core. xss; import java. io. IOException; import org. springframework. web. util. htmlUtils; import com. fasterxml. jackson. core. jsonGenerator; import com. fasterxml. jackson. databind. jsonSerializer; import com. fasterxml. jackson. databind. serializerPr Ovider;/*** Description: xss-based JsonSerializer ** @ author wangkang **/public class XssStringJsonSerializer extends JsonSerializer <String >{@ Override public Class <String> handledType () {return String. class ;}@ Override public void serialize (String value, JsonGenerator jsonGenerator, SerializerProvider serializerProvider) throws IOException {if (value! = Null) {String encodedValue = HtmlUtils.html Escape (value); jsonGenerator. writeString (encodedValue );}}}
3. Create a Bean
In the startup class, create the XssObjectMapper bean and replace the original Instance of spring boot for json conversion of the entire system.
/*** Description: xssObjectMapper ** @ param builder * @ return handler */@ Bean @ Primary public ObjectMapper xssObjectMapper (parser builder) {// parser ObjectMapper objectMapper = builder. createXmlMapper (false ). build (); // register the xss parser SimpleModule xssModule = new SimpleModule ("XssStringJsonSerializer"); xssModule. addSerializer (new XssStringJsonSerializer (); objectMapper. registerModule (xssModule); // return objectMapper ;}
4. Create an XssFilter
First, intercept all requests, and then convert the forced type of HttpServletRequest to XssHttpServletRequestWrapper in the doFilter method.
And pass it on.
/*** XssFilter. java * Created at * Created by wangkang * Copyright (C) 2016 egridcloud.com, All rights reserved. */package com. egridcloud. udf. core. xss; import java. io. IOException; import javax. servlet. filter; import javax. servlet. filterChain; import javax. servlet. filterConfig; import javax. servlet. servletException; import javax. servlet. servletRequest; import javax. servlet. servletResponse; import javax. servlet. annotation. webFilter; import javax. servlet. http. httpServletRequest; import org. slf4j. logger; import org. slf4j. loggerFactory;/*** Description: Cross-Site Request prevention ** @ author wangkang **/@ WebFilter (filterName = "xssFilter", urlPatterns = "/*", asyncSupported = true) public class XssFilter implements Filter {/*** Description: log */private static final Logger LOGGER = LoggerFactory. getLogger (XssFilter. class); @ Override public void init (FilterConfig filterConfig) throws ServletException {LOGGER. debug ("(XssFilter) initialize");} @ Override public void doFilter (ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {response xssRequest = new response (HttpServletRequest) request); chain. doFilter (xssRequest, response) ;}@ Override public void destroy () {LOGGER. debug ("(XssFilter) destroy ");}}
Iv. End
Although this article is based on spring boot, the idea is consistent and is not limited to any framework.
Thank you for reading this article. I hope it will help you. Thank you for your support for this site!