java防止批量攻击_java 防止 XSS 攻击的常用方法总结
在前面的一篇文章中,講到了java web應(yīng)用程序防止 csrf 攻擊的方法,參考這里java網(wǎng)頁程序采用 spring 防止 csrf 攻擊.,但這只是攻擊的一種方式,還有其他方式,比如今天要記錄的 XSS 攻擊, XSS 攻擊的專業(yè)解釋,可以在網(wǎng)上搜索一下,參考百度百科的解釋http://baike.baidu.com/view/2161269.htm, 但在實(shí)際的應(yīng)用中如何去防止這種攻擊呢,下面給出幾種辦法.
1. 自己寫 filter 攔截來實(shí)現(xiàn),但要注意的時(shí),在WEB.XML 中配置 filter 的時(shí)候,請將這個(gè) filter 放在第一位.
2. 采用開源的實(shí)現(xiàn) ESAPI library ,參考網(wǎng)址:https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
3. 可以采用spring 里面提供的工具類來實(shí)現(xiàn).
一, 第一種方法。
配置過濾器
public?class?XSSFilter?implements?Filter?{
@Override
public?void?init(FilterConfig?filterConfig)?throws?ServletException?{
}
@Override
public?void?destroy()?{
}
@Override
public?void?doFilter(ServletRequest?request,?ServletResponse?response,?FilterChain?chain)
throws?IOException,?ServletException?{
chain.doFilter(new?XSSRequestWrapper((HttpServletRequest)?request),?response);
}}
再實(shí)現(xiàn) ServletRequest 的包裝類
import?java.util.regex.Pattern;
import?javax.servlet.http.HttpServletRequest;
import?javax.servlet.http.HttpServletRequestWrapper;
public?class?XSSRequestWrapper?extends?HttpServletRequestWrapper?{
public?XSSRequestWrapper(HttpServletRequest?servletRequest)?{
super(servletRequest);
}
@Override
public?String[]?getParameterValues(String?parameter)?{
String[]?values?=?super.getParameterValues(parameter);
if?(values?==?null)?{
return?null;
}
int?count?=?values.length;
String[]?encodedValues?=?new?String[count];
for?(int?i?=?0;?i?
encodedValues[i]?=?stripXSS(values[i]);
}
return?encodedValues;
}
@Override
public?String?getParameter(String?parameter)?{
String?value?=?super.getParameter(parameter);
return?stripXSS(value);
}
@Override
public?String?getHeader(String?name)?{
String?value?=?super.getHeader(name);
return?stripXSS(value);
}
private?String?stripXSS(String?value)?{
if?(value?!=?null)?{
//?NOTE:?It's?highly?recommended?to?use?the?ESAPI?library?and?uncomment?the?following?line?to
//?avoid?encoded?attacks.
//?value?=?ESAPI.encoder().canonicalize(value);
//?Avoid?null?characters
value?=?value.replaceAll("",?"");
//?Avoid?anything?between?script?tags
Pattern?scriptPattern?=?Pattern.compile("",?Pattern.CASE_INSENSITIVE);
value?=?scriptPattern.matcher(value).replaceAll("");
//?Avoid?anything?in?a?src="http://www.yihaomen.com/article/java/..."?type?of?e-xpression
scriptPattern?=?Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",?Pattern.CASE_INSENSITIVE?|?Pattern.MULTILINE?|?Pattern.DOTALL);
value?=?scriptPattern.matcher(value).replaceAll("");
scriptPattern?=?Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",?Pattern.CASE_INSENSITIVE?|?Pattern.MULTILINE?|?Pattern.DOTALL);
value?=?scriptPattern.matcher(value).replaceAll("");
//?Remove?any?lonesome??tag
scriptPattern?=?Pattern.compile("",?Pattern.CASE_INSENSITIVE);
value?=?scriptPattern.matcher(value).replaceAll("");
//?Remove?any?lonesome?
scriptPattern?=?Pattern.compile("
value?=?scriptPattern.matcher(value).replaceAll("");
//?Avoid?eval(...)?e-xpressions
scriptPattern?=?Pattern.compile("eval\\((.*?)\\)",?Pattern.CASE_INSENSITIVE?|?Pattern.MULTILINE?|?Pattern.DOTALL);
value?=?scriptPattern.matcher(value).replaceAll("");
//?Avoid?e-xpression(...)?e-xpressions
scriptPattern?=?Pattern.compile("e-xpression\\((.*?)\\)",?Pattern.CASE_INSENSITIVE?|?Pattern.MULTILINE?|?Pattern.DOTALL);
value?=?scriptPattern.matcher(value).replaceAll("");
//?Avoid?javascript:...?e-xpressions
scriptPattern?=?Pattern.compile("javascript:",?Pattern.CASE_INSENSITIVE);
value?=?scriptPattern.matcher(value).replaceAll("");
//?Avoid?vbscript:...?e-xpressions
scriptPattern?=?Pattern.compile("vbscript:",?Pattern.CASE_INSENSITIVE);
value?=?scriptPattern.matcher(value).replaceAll("");
//?Avoid?οnlοad=?e-xpressions
scriptPattern?=?Pattern.compile("onload(.*?)=",?Pattern.CASE_INSENSITIVE?|?Pattern.MULTILINE?|?Pattern.DOTALL);
value?=?scriptPattern.matcher(value).replaceAll("");
}
return?value;
}}
例子中注釋的部分,就是采用 ESAPI library 來防止XSS攻擊的,推薦使用.
當(dāng)然,我還看到這樣一種辦法,將所有的編程全角字符的解決方式,但個(gè)人覺得并沒有上面這種用正則表達(dá)式替換的好
private?static?String?xssEncode(String?s)?{
if?(s?==?null?||?s.equals(""))?{
return?s;
}
StringBuilder?sb?=?new?StringBuilder(s.length()?+?16);
for?(int?i?=?0;?i?<?s.length();?i++)?{
char?c?=?s.charAt(i);
switch?(c)?{
case?'>':
sb.append('>');//?全角大于號
break;
case?'<':
sb.append('<');//?全角小于號
break;
case?'\'':
sb.append('\\');
sb.append('\'');
sb.append('\\');
sb.append('\'');
break;
case?'\"':
sb.append('\\');
sb.append('\"');//?全角雙引號
break;
case?'&':
sb.append('&');//?全角
break;
case?'\\':
sb.append('\');//?全角斜線
break;
case?'#':
sb.append('#');//?全角井號
break;
case?':':
sb.append(':');//?全角冒號
break;
case?'%':
sb.append("\\\\%");
break;
default:
sb.append(c);
break;
}
}
return?sb.toString();
}
當(dāng)然,還有如下更簡單的方式:
private?String?cleanXSS(String?value)?{
//You'll?need?to?remove?the?spaces?from?the?html?entities?below
value?=?value.replaceAll("<",?"&?lt;").replaceAll(">",?"&?gt;");
value?=?value.replaceAll("\\(",?"&?#40;").replaceAll("\\)",?"&?#41;");
value?=?value.replaceAll("'",?"&?#39;");
value?=?value.replaceAll("eval\\((.*)\\)",?"");
value?=?value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']",?"\"\"");
value?=?value.replaceAll("script",?"");
return?value;
}
在后臺或者用spring 如何實(shí)現(xiàn)呢:
首先添加一個(gè)jar包:commons-lang-2.5.jar ,然后在后臺調(diào)用這些函數(shù):
StringEscapeUtils.escapeHtml(string);
StringEscapeUtils.escapeJavaScript(string);
StringEscapeUtils.escapeSql(string);
當(dāng)然,我記得在spring 里面好像有一個(gè) HtmlUtils.htmlEscape , 同樣可以做到 過濾 XSS 攻擊。從上面的介紹可以看出,防止 XSS 攻擊并不難,就是要小心。
總結(jié)
以上是生活随笔為你收集整理的java防止批量攻击_java 防止 XSS 攻击的常用方法总结的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: linux脚本运行java程序设计_Ja
- 下一篇: java dump命令例子,常用命令示例