On web Security

I. XSS (cross Site Scripting)

XSS full Name "cross-site scripting" is one of the injection attacks. It is characterized by not causing any harm to the server side, but through some normal intra-site interactions, such as posting comments, and submitting content text containing JavaScript. At this point, if the server does not filter or escape these scripts, as content published on the page, the other users will run these scripts when accessing this page.

See the following two blog posts about how XSS is attacking: http://www.cnblogs.com/bangerlee/archive/2013/04/06/3002142.html

Http://www.cnblogs.com/wangyuyu/p/3388180.html

Http://www.cnblogs.com/dongzhiquan/archive/2010/08/08/1994581.html

Here's how to defend against XSS:

1. The user input places and variables are verified by reliability: Length verification, "<", ">", "/" and other characters do filter;

2. Filter all requests using filter, and then insert the "<", ">", "/" script and other special characters into the database after escaping the full angle.

Custom Filter

public class Injectfilter implements Filter {

@Override
public void init (Filterconfig filterconfig) throws Servletexception {
}

@Override
public void DoFilter (ServletRequest request, servletresponse response, Filterchain chain)
Throws IOException, Servletexception {
Xsshttpservletrequestwrapper xssrequest = new Xsshttpservletrequestwrapper ((httpservletrequest) request);
Chain.dofilter (xssrequest, response);
}

@Override
public void Destroy () {

}

}

Xsshttpservletrequestwrapper:

Override Getparametervalues,getparametermap intercept parameter escape and return

public class Xsshttpservletrequestwrapper extends httpservletrequestwrapper{

HttpServletRequest request = null;


Public Xsshttpservletrequestwrapper (HttpServletRequest request) {
Super (Request);
This.request = Request;
}

@Override
Public map<string, String[]> Getparametermap () {
map<string, string[]> retmap = Super.getparametermap ();
Retmap = Wrapparamvalue (Retmap);
return retmap;
}

@Override
Public string[] Getparametervalues (String name) {
String[] values = super.getparametervalues (name);
if (values!=null&&values.length = = 1) {
String Requri = Request.getrequesturi ();
String value = Values[0];
if (Needcheck (Requri,name)) {
if (Stringutils.isnoneblank (value)) {
Value = Xssencode (value);
}
}
values = new String[]{value};
}
return values;
}

/*private String listparams (map<string, string[]> params) {
StringBuilder SBS = new StringBuilder ("");
For (String Pn:params.keySet ()) {
if (!sbs.tostring (). Equals ("")) {
Sbs.append (";");
}
Sbs.append (pn + "=" +params.get (PN) [0]);
}
return sbs.tostring ();
}*/

Private map<string, string[]> wrapparamvalue (map<string, string[]> params) {
map<string, string[]> newparams = new linkedhashmap<> ();
For (String Pn:params.keySet ()) {
string[] PVs = Params.get (PN);
if (pvs.length = = 1) {
PVs = new String[]{xssencode (pvs[0])};
}
Newparams.put (Pn,pvs);
}
return newparams;
}

Private Boolean Needcheck (String requri,string paramname) {
if ((Requri.endswith ("Template/save") && paramname.equals ("Nodesinfo")) | |
Requri.endswith ("/getjson"))
return false;
return true;
}



private static string Xssencode (string s) {
if (s = = NULL | | "". Equals (s)) {
return s;
}
StringBuilder sb = new StringBuilder ("");
for (int i = 0; i < s.length (); i++) {
char C = S.charat (i);
Switch (c) {
Case ' > ':
Sb.append (' > ');//full-width greater than sign
Break
Case ' < ':
Sb.append (');//full-width less than sign
Break
Case ' \ ':
Sb.append (");//full-width single quote
Break
Case ' \ ':
Sb.append (' "');//full-width double quotes
Break
Case ' & ':
Sb.append (' & ');//Full-width
Break
Case '? ':
Sb.append ('. ');//Full-width
Break
Case ' \ \ ':
Sb.append (' \ ');//full-width slash
Break
Case ' # ':
Sb.append (' # ');//full-width well number
Break
Default
Sb.append (c);
Break
}
}
return sb.tostring ();
}

Public HttpServletRequest Getorgrequest () {
return request;
}

public static HttpServletRequest Getorgrequest (HttpServletRequest req) {
if (req instanceof xsshttpservletrequestwrapper) {
Return ((Xsshttpservletrequestwrapper) req). Getorgrequest ();
}
return req;
}

}

3. All content output to the page before the display is first escaped;

Introduced tags: <%@ taglib uri = "http://java.sun.com/jsp/jstl/functions" prefix= "FN"%>

This value: <input name= "Printbody" id= "Printbody" value= "${fn:escapexml (Model.printbody)}" type= "hidden"/>

4. XSS is an attack by stealing cookies, we use HttpOnly for some sensitive cookies, and we do not set any cookies that need to be manipulated in the application.

Response.setheader ("Set-cookie", "cookiename=value;
path=/;D Omain=domainvalue; Max-age=seconds; HttpOnly ");

After the setup is complete, the cookie cannot be read by the JS script, but the cookie cookies[]=request.getcookies () can be read using the following method;

two. CSRF (cross-site request forgery)

1. Add the HTTP referer whitelist to verify the referer of the request

in short, Referer is a request header in the HTTP protocol that informs the server user of the source page. For example, if you click into a page from Google search results, the Referer in the HTTP request is the address of the Google search results page. If one of your blogs references a picture from somewhere else, then the referer in the HTTP request for that image is the address of your blog post.

Http://www.tuicool.com/articles/A3EJBv

Http://netsecurity.51cto.com/art/201407/446775.htm

2. Add the CSRF token to each request (the token is valid for single-user login only)