springboot项目防止XSS攻击和sql注入方式
作者:yy1209357299
1、XSS跨站脚本攻击
①:XSS漏洞介绍
跨站脚本攻击XSS是指攻击者往Web页面里插入恶意Script代码,当用户浏览该页之时,嵌入其中Web里面的Script代码会被解析执行,从而达到恶意攻击用户的目的。
XSS攻击针对的是用户层面的攻击!
②:XSS漏洞分类
存储型XSS:存储型XSS,持久化,代码是存储在服务器中的,如在个人信息或发表文章等地方,插入代码,如果没有过滤或过滤不严,那么这些代码将储存到服务器中,用户访问该页面的时候触发代码执行。
这种XSS比较危险,容易造成蠕虫,盗窃cookie
反射型XSS:非持久化,需要欺骗用户自己去点击链接才能触发XSS代码(服务器中没有这样的页面和内容),一般容易出现在搜索页面
③:防护建议
限制用户输入,表单数据规定值得类型,例如年龄只能是int,name为字母数字组合
- 对数据进行html encode处理
- 过滤或移除特殊的html标签
- 过滤javascript事件的标签
2、 SQL注入攻击
①:SQL注入漏洞介绍
SQL注入(SQLi)是一种注入攻击,可以执行恶意SQL语句。它通过将任意SQL代码插入数据库查询,使攻击者能够完全控制Web应用程序后面的数据库服务器。攻击者可以使用SQL注入漏洞绕过应用程序安全措施;可以绕过网页或Web应用程序的身份验证和授权,并检索整个SQL数据库的内容;还可以使用SQL注入来添加,修改和删除数据库中的记录。
SQL注入漏洞可能会影响使用SQL数据库(如MySQL,Oracle,SQL Server或其他)的任何网站或Web应用程序。犯罪分子可能会利用它来未经授权访问用户的敏感数据:客户信息,个人数据,商业机密,知识产权等。SQL注入攻击是最古老,最流行,最危险的Web应用程序漏洞之一
②:防护建议
使用mybatis中#{}可以有效防止sql注入
- 使用#{}时
<select id="getBlogById" resultType="Blog" parameterType=”int”> select id,title,author,content from blog where id=#{id} </select>
打印出执行的sql语句,会看到sql是这样的:
select id,title,author,content from blog where id = ?
不管输入什么参数,打印出的sql都是这样的。
这是因为mybatis启用了预编译功能,在sql执行前,会先将上面的sql发送给数据库进行编译,执行时,直接使用编译好的sql,替换占位符“?”就可以了。
因为sql注入只能对编译过程起作用,所以像#{}这样预编译成?的方式就很好地避免了sql注入的问题
mybatis是如何做到sql预编译的呢?
其实在框架底层,是jdbc中的PreparedStatement类在起作用,PreparedStatement是我们很熟悉的Statement的子类,它的对象包含了编译好的sql语句。
这种“准备好”的方式不仅能提高安全性,而且在多次执行一个sql时,能够提高效率,原因是sql已编译好,再次执行时无需再编译
- 使用${}时
<select id="orderBlog" resultType="Blog" parameterType=”map”> select id,title,author,content from blog order by ${<!-- -->orderParam}</select>仔细观察,内联参数的格式由“#{<!-- -->xxx}”变为了${<!-- -->xxx}。如果我们给参数“orderParam”赋值为”id”,将sql打印出来,是这样的:select id,title,author,contet from blog order by id<select id="orderBlog" resultType="Blog" parameterType=”map”> select id,title,author,content from blog order by ${orderParam} </select>
仔细观察,内联参数的格式由“#{xxx}”变为了${xxx}。如果我们给参数“orderParam”赋值为”id”,将sql打印出来,是这样的:
select id,title,author,contet from blog order by id
显然,这样是无法阻止sql注入的,参数会直接参与sql编译,从而不能避免注入攻击。但涉及到动态表名和列名时,只能使用“${}”这样的参数格式,所以,这样的参数需要我们在代码中手工进行处理来防止注入
3、 SpringBoot中如何防止XSS攻击和sql注入
对于Xss攻击和Sql注入,我们可以通过过滤器来搞定,可根据业务需要排除部分请求
①:创建Xss请求过滤类
XssAndSqlHttpServletRequestWrapper
import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.util.StreamUtils; import javax.servlet.ReadListener; import javax.servlet.ServletInputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import java.io.BufferedReader; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStreamReader; import java.util.*; import java.util.regex.Pattern; /** * @author code * @version 1.0 * @Date 2023/2/7 10:38 * @Description ${DESCRIPTION} */ public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper { private final Logger logger = LoggerFactory.getLogger(XssAndSqlHttpServletRequestWrapper.class); private String key = "and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+"; private Set<String> notAllowedKeyWords = new HashSet<String>(0); HttpServletRequest orgRequest = null; private Map<String, String[]> parameterMap; private final byte[] body; //用于保存读取body中数据 public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) throws IOException { super(request); orgRequest = request; parameterMap = request.getParameterMap(); body = StreamUtils.copyToByteArray(request.getInputStream()); String keyStr[] = key.split("\\|"); for (String str : keyStr) { notAllowedKeyWords.add(str); } } // 重写几个HttpServletRequestWrapper中的方法 /** * 获取所有参数名 * * @return 返回所有参数名 */ @Override public Enumeration<String> getParameterNames() { Vector<String> vector = new Vector<String>(parameterMap.keySet()); return vector.elements(); } /** * 覆盖getParameter方法,将参数名和参数值都做xss & sql过滤。<br> * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br> * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖 */ @Override public String getParameter(String name) { String[] results = parameterMap.get(name); if (results == null || results.length == 0) return null; else { String value = results[0]; if (value != null) { value = xssEncode(value); } return value; } } @Override public Map<String, String[]> getParameterMap() { Map<String,String[]> values = super.getParameterMap(); if(null == values){ return null; } Map<String,String[]> result = new HashMap<>(); for (String key : values.keySet()) { String encodedKey = xssEncode(key); int count = values.get(key).length; String[] encodedValues = new String[count]; for(int i = 0;i < count;i++){ encodedValues[i] = xssEncode(values.get(key)[i]); } result.put(encodedKey,encodedValues); } return result; } /** * 获取指定参数名的所有值的数组,如:checkbox的所有数据 接收数组变量 ,如checkobx类型 */ @Override public String[] getParameterValues(String name) { String[] results = parameterMap.get(name); if (results == null || results.length == 0) return null; else { int length = results.length; for (int i = 0; i < length; i++) { results[i] = xssEncode(results[i]); } return results; } } /** * 覆盖getHeader方法,将参数名和参数值都做xss & sql过滤。<br> * 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br> * getHeaderNames 也可能需要覆盖 */ @Override public String getHeader(String name) { String value = super.getHeader(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 将容易引起xss & sql漏洞的半角字符直接替换成全角字符 * * @param s * @return */ private String xssEncode(String s) { if (s == null || s.isEmpty()) { return s; } else { s = stripXSSAndSql(s); } StringBuilder sb = new StringBuilder(s.length() + 16); for (int i = 0; i < s.length(); i++) { char c = s.charAt(i); switch (c) { case '>': sb.append(">");// 转义大于号 break; case '<': sb.append("<");// 转义小于号 break; case '\'': sb.append("'");// 转义单引号 break; case '\"': sb.append(""");// 转义双引号 break; case '&': sb.append("&");// 转义& break; case '#': sb.append("#");// 转义# break; default: sb.append(c); break; } } return sb.toString(); } /** * 获取最原始的request * * @return */ public HttpServletRequest getOrgRequest() { return orgRequest; } /** * 获取最原始的request的静态方法 * * @return */ @SuppressWarnings("unused") public HttpServletRequest getOrgRequest(HttpServletRequest req) { if (req instanceof XssAndSqlHttpServletRequestWrapper) { return ((XssAndSqlHttpServletRequestWrapper) req).getOrgRequest(); } return req; } /** * * 防止xss跨脚本攻击(替换,根据实际情况调整) */ public String stripXSSAndSql(String value) { if (value != null) { // NOTE: It's highly recommended to use the ESAPI library and // uncomment the following line to // avoid encoded attacks. // value = ESAPI.encoder().canonicalize(value); // Avoid null characters /** value = value.replaceAll("", ""); ***/ // Avoid anything between script tags Pattern scriptPattern = Pattern.compile( "<[\r\n| | ]*script[\r\n| | ]*>(.*?)<!--[\r\n| | ]*script[\r\n| | ]*-->", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid anything in a // src="http://www.yihaomen.com/article/java/..." type of // e-xpression scriptPattern = Pattern.compile("src[\r\n| | ]*=[\r\n| | ]*[\\\"|\\\'](.*?)[\\\"|\\\']", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Remove any lonesome tag scriptPattern = Pattern.compile("<!--[\r\n| | ]*script[\r\n| | ]*-->", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Remove any lonesome <script ...> tag scriptPattern = Pattern.compile("<[\r\n| | ]*script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid eval(...) expressions scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid e-xpression(...) expressions scriptPattern = Pattern.compile("e-xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid javascript:... expressions scriptPattern = Pattern.compile("javascript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid vbscript:... expressions scriptPattern = Pattern.compile("vbscript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid οnlοad= expressions scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); } return value; } public boolean checkXSSAndSql(String value) { boolean flag = false; if (value != null) { // NOTE: It's highly recommended to use the ESAPI library and // uncomment the following line to // avoid encoded attacks. // value = ESAPI.encoder().canonicalize(value); // Avoid null characters /** value = value.replaceAll("", ""); ***/ // Avoid anything between script tags Pattern scriptPattern = Pattern.compile( "<[\r\n| | ]*script[\r\n| | ]*>(.*?)</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid anything in a // src="http://www.yihaomen.com/article/java/..." type of // e-xpression scriptPattern = Pattern.compile("src[\r\n| | ]*=[\r\n| | ]*[\\\"|\\\'](.*?)[\\\"|\\\']", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Remove any lonesome </script> tag scriptPattern = Pattern.compile("<!--[\r\n| | ]*script[\r\n| | ]*-->", Pattern.CASE_INSENSITIVE); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Remove any lonesome <script ...> tag scriptPattern = Pattern.compile("<[\r\n| | ]*script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid eval(...) expressions scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid e-xpression(...) expressions scriptPattern = Pattern.compile("e-xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid javascript:... expressions scriptPattern = Pattern.compile("javascript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid vbscript:... expressions scriptPattern = Pattern.compile("vbscript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } // Avoid οnlοad= expressions scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); flag = scriptPattern.matcher(value).find(); if (flag) { return flag; } flag = checkSqlKeyWords(value); } return flag; } public boolean checkSqlKeyWords(String value){ String paramValue = value; for (String keyword : notAllowedKeyWords) { if (paramValue.length() > keyword.length() + 4 && (paramValue.contains(" "+keyword)||paramValue.contains(keyword+" ")||paramValue.contains(" "+keyword+" "))) { logger.error(this.getRequestURI()+ "参数中包含不允许sql的关键词(" + keyword + ")"); return true; } } return false; } public final boolean checkParameter() { @SuppressWarnings({ "unchecked", "rawtypes" }) Map<String, String[]> submitParams = new HashMap(parameterMap); Set<String> submitNames = submitParams.keySet(); for (String submitName : submitNames) { Object submitValues = submitParams.get(submitName); if ((submitValues instanceof String)) { if (checkXSSAndSql((String) submitValues)) { return true; } } else if ((submitValues instanceof String[])) { for (String submitValue : (String[])submitValues){ if (checkXSSAndSql(submitValue)) { return true; } } } } return false; } @Override public BufferedReader getReader() throws IOException { return new BufferedReader(new InputStreamReader(getInputStream())); } @Override public ServletInputStream getInputStream() throws IOException { final ByteArrayInputStream bais = new ByteArrayInputStream(body); return new ServletInputStream() { @Override public int read() throws IOException { return bais.read(); } @Override public boolean isFinished() { // TODO Auto-generated method stub return false; } @Override public boolean isReady() { // TODO Auto-generated method stub return false; } @Override public void setReadListener(ReadListener arg0) { // TODO Auto-generated method stub } }; } }
②:把请求过滤类XssAndSqlHttpServletRequestWrapper添加到Filter中
注入容器
import com.fwpt.common.core.config.XssAndSqlHttpServletRequestWrapper; import org.apache.commons.lang3.StringUtils; import org.springframework.stereotype.Component; import javax.servlet.*; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import java.io.BufferedReader; import java.io.IOException; import java.io.PrintWriter; /** * @author code * @version 1.0 * @Date 2023/2/7 10:40 * @Description ${sql xss过滤器} */ @WebFilter @Component public class CrosXssFilter implements Filter { @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) servletRequest; //跨域设置 // if(servletResponse instanceof HttpServletResponse){ // HttpServletResponse httpServletResponse=(HttpServletResponse)servletResponse; // //通过在响应 header 中设置 ‘*' 来允许来自所有域的跨域请求访问。 // httpServletResponse.setHeader("Access-Control-Allow-Origin", "*"); // //通过对 Credentials 参数的设置,就可以保持跨域 Ajax 时的 Cookie // //设置了Allow-Credentials,Allow-Origin就不能为*,需要指明具体的url域 // //httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true"); // //请求方式 // httpServletResponse.setHeader("Access-Control-Allow-Methods", "*"); // //(预检请求)的返回结果(即 Access-Control-Allow-Methods 和Access-Control-Allow-Headers 提供的信息) 可以被缓存多久 // httpServletResponse.setHeader("Access-Control-Max-Age", "86400"); // //首部字段用于预检请求的响应。其指明了实际请求中允许携带的首部字段 // httpServletResponse.setHeader("Access-Control-Allow-Headers", "*"); // } XssAndSqlHttpServletRequestWrapper xssRequest=new XssAndSqlHttpServletRequestWrapper(request); String method = ((HttpServletRequest) request).getMethod(); String param = ""; if ("POST".equalsIgnoreCase(method)) { param = this.getBodyString(xssRequest.getReader()); if(StringUtils.isNotBlank(param)){ if(xssRequest.checkXSSAndSql(param)){ servletResponse.setCharacterEncoding("UTF-8"); servletResponse.setContentType("application/json;charset=UTF-8"); PrintWriter out = servletResponse.getWriter(); out.write("param is invalid"); return; } } } if (xssRequest.checkParameter()) { servletResponse.setCharacterEncoding("UTF-8"); servletResponse.setContentType("application/json;charset=UTF-8"); PrintWriter out = servletResponse.getWriter(); out.write("param is invalid"); return; } filterChain.doFilter(xssRequest, servletResponse); } // 获取request请求body中参数 public String getBodyString(BufferedReader br) { String inputLine; String str = ""; try { while ((inputLine = br.readLine()) != null) { str += inputLine; } br.close(); } catch (IOException e) { e.printStackTrace(); } return str; } @Override public void destroy() { } }
总结
以上为个人经验,希望能给大家一个参考,也希望大家多多支持脚本之家。