1. 首頁
  2. 問答
  3. 防止XSS在Spring MVC控制器

防止XSS在Spring MVC控制器

2017-01-30 104 views
1

喜在我的項目Veracode的在我的請求處理方法報告了XSS問題CWE ID 80.:防止XSS在Spring MVC控制器

@RequestMapping(value = "/Update.mvc") 
public @ResponseBody String execute(@ModelAttribute UpdateForm updateForm, BindingResult result, 
     HttpServletRequest request, HttpServletResponse response) throws ActionException { 
    return executeAjax(updateForm, request, response, result); 
}

所以executeAjax來自一個抽象類,有不同的實現? 在這些實現中,來自表單的用戶輸入是get和被操縱,以便構造返回的字符串。

所以我的問題是: 是否Veracode的假設是在執行中可以有XSS?或者一般的東西? - 如何防止這種情況?我總是使用轉換輸入數據,並且不會在用戶輸入時返回? - 那麼如何預防呢? - 我必須從HttpServiceRequest中轉義所有標題/請求參數嗎?

編輯: 我一定要使用過濾器,如: SecurityWrapperRequest

來源

2017-01-30 Xelian

+0

您需要轉義所有請求參數。例如。通過添加一個過濾器 – StanislavL

+0

@StanislavL你能給出更詳細的解釋。我需要添加HttpRequest過濾器,以便從請求中轉義所有頭文件和所有參數?或者我可以在本地開展工作,並將請求包裝爲我的executeAjax類的所有實現? LikeL https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html – Xelian

回答

2

您可以使用XSSFilter逃避所有請求參數。見here

public class XSSFilter implements Filter { 

    @Override 
    public void init(FilterConfig filterConfig) throws ServletException { 
    } 

    @Override 
    public void destroy() { 
    } 

    @Override 
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) 
     throws IOException, ServletException { 
     chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response); 
    } 

}

和包裝器

import java.util.regex.Pattern; 
import javax.servlet.http.HttpServletRequest; 
import javax.servlet.http.HttpServletRequestWrapper; 

public class XSSRequestWrapper extends HttpServletRequestWrapper { 

    public XSSRequestWrapper(HttpServletRequest servletRequest) { 
     super(servletRequest); 
    } 

    @Override 
    public String[] getParameterValues(String parameter) { 
     String[] values = super.getParameterValues(parameter); 

     if (values == null) { 
      return null; 
     } 

     int count = values.length; 
     String[] encodedValues = new String[count]; 
     for (int i = 0; i < count; i++) { 
      encodedValues[i] = stripXSS(values[i]); 
     } 

     return encodedValues; 
    } 

    @Override 
    public String getParameter(String parameter) { 
     String value = super.getParameter(parameter); 

     return stripXSS(value); 
    } 

    @Override 
    public String getHeader(String name) { 
     String value = super.getHeader(name); 
     return stripXSS(value); 
    } 

    private String stripXSS(String value) { 
     if (value != null) { 
      // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to 
      // avoid encoded attacks. 
      // value = ESAPI.encoder().canonicalize(value); 

      // Avoid null characters 
      value = value.replaceAll("", ""); 

      // Avoid anything between script tags 
      Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE); 
      value = scriptPattern.matcher(value).replaceAll(""); 

      // Avoid anything in a src='...' type of expression 
      scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); 
      value = scriptPattern.matcher(value).replaceAll(""); 

      scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); 
      value = scriptPattern.matcher(value).replaceAll(""); 

      // Remove any lonesome </script> tag 
      scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE); 
      value = scriptPattern.matcher(value).replaceAll(""); 

      // Remove any lonesome <script ...> tag 
      scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); 
      value = scriptPattern.matcher(value).replaceAll(""); 

      // Avoid eval(...) expressions 
      scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); 
      value = scriptPattern.matcher(value).replaceAll(""); 

      // Avoid expression(...) expressions 
      scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); 
      value = scriptPattern.matcher(value).replaceAll(""); 

      // Avoid javascript:... expressions 
      scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE); 
      value = scriptPattern.matcher(value).replaceAll(""); 

      // Avoid vbscript:... expressions 
      scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE); 
      value = scriptPattern.matcher(value).replaceAll(""); 

      // Avoid onload= expressions 
      scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); 
      value = scriptPattern.matcher(value).replaceAll(""); 
     } 
     return value; 
    } 
}

其實你可以使用過濾器作爲一個地下室,它擴大到添加任何需要的邏輯來包裝。

來源

2017-01-31 06:47:58 StanislavL

+0

對性能有任何負面影響,因爲這些Patters匹配不是很輕? – Xelian

+1

無論如何,安全功能對性能有負面影響。嘗試用更快的替換模式檢查。 – StanislavL

+0

ESAPI包裝器呢?我可以使用它嗎? https://github.com/ESAPI/esapi-java-legacy/blob/2ff45b140a7e7b527a93bcdbc6bd7a1b3c188aca/src/main/java/org/owasp/esapi/filters/SecurityWrapperRequest.java – Xelian

相關問題

 相關問題