# 用JAVA Filter 修改XSS攻擊的漏洞 [參考網站](https://www.gushiciku.cn/pl/p54d/zh-tw) 首先需要引入JAR檔 ``` <dependency> <groupId>javax.servlet</groupId> <artifactId>servlet-api</artifactId> <version>3.0-alpha-1</version> <scope>provided</scope> </dependency> ``` 需要建立這些檔案  建立Filter ```java=\ package inspector.online.filter; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; public class XssFilter implements Filter { @Override public void destroy() { } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { // 使用包裝器 XSSRequestWrapper XSSRequestWrapper = new XSSRequestWrapper((HttpServletRequest) servletRequest); filterChain.doFilter(XSSRequestWrapper, servletResponse); } @Override public void init(FilterConfig filterConfig) throws ServletException { } } ``` 建立Wrapper ```java=\ package inspector.online.filter; import java.util.HashMap; import java.util.Iterator; import java.util.Map; import java.util.Map.Entry; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import org.apache.commons.lang3.StringUtils; public class XSSRequestWrapper extends HttpServletRequestWrapper { public XSSRequestWrapper(HttpServletRequest request) { super(request); } // 對陣列引數進行特殊字元過濾 @Override public String[] getParameterValues(String name) { String[] values = super.getParameterValues(name); if (values == null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = clearXss(values[i]); } return encodedValues; } // 對引數中特殊字元進行過濾 @Override public String getParameter(String name) { String value = super.getParameter(name); if (value == null) { return null; } return clearXss(value); } // 覆蓋getParameterMap方法，將引數名和引數值都做xss & sql過濾 【一般post表單請求，或者前臺接收為實體需要這樣處理】 @SuppressWarnings({"rawtypes", "unchecked"}) @Override public Map getParameterMap() { Map<String, Object> paramMap = new HashMap<String, Object>(); Map<String, String[]> requestMap = super.getParameterMap(); Iterator<Entry<String, String[]>> it = requestMap.entrySet().iterator(); while (it.hasNext()) { Entry<String, String[]> entry = it.next(); if (entry.getValue().length == 1) { paramMap.put(xssEncode(entry.getKey()), xssEncode(entry.getValue()[0])); } else { String[] values = entry.getValue(); String value = ""; for (int i = 0; i < values.length; i++) { value = values[i] + ","; } value = value.substring(0, value.length() - 1); paramMap.put(xssEncode(entry.getKey()), xssEncode(entry.getValue()[0])); } } return paramMap; } // 獲取attribute, 特殊字元過濾 @Override public Object getAttribute(String name) { Object value = super.getAttribute(name); if (value != null && value instanceof String) { clearXss((String) value); } return value; } // 對請求頭部進行特殊字元過濾 @Override public String getHeader(String name) { String value = super.getHeader(name); if (value == null) { return null; } return clearXss(value); } //特殊字元處理（轉義或刪除） private String clearXss(String value) { if (StringUtils.isEmpty(value)) { return value; } // 字元編碼不一致，需要轉換。我們系統是UTF-8編碼，這裡不需要 /* * try { value = new String(value.getBytes("ISO8859-1"), "UTF-8"); } catch (UnsupportedEncodingException e) { e.printStackTrace(); return null; } */ return XssFilterUtil.stripXss(value); } //將容易引起xss漏洞的半形字元直接替換成全形字元 在保證不刪除資料的情況下儲存 private static String xssEncode(String value) { if (value == null || value.isEmpty()) { return value; } value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("<", "&lt;"); value = value.replaceAll(">", "&gt;"); value = value.replaceAll("'", "&apos;"); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); value = value.replaceAll("(?i)<script.*?>.*?<script.*?>", ""); value = value.replaceAll("(?i)<script.*?>.*?</script.*?>", ""); value = value.replaceAll("(?i)<.*?javascript:.*?>.*?</.*?>", ""); value = value.replaceAll("(?i)<.*?\\s+on.*?>.*?</.*?>", ""); // value = value.replaceAll("[<>{}\\[\\];\\&]",""); return value; } } ``` 建立Util ```java=\ package inspector.online.filter; import java.util.ArrayList; import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; import org.apache.commons.lang3.StringUtils; import org.apache.log4j.Logger; public class XssFilterUtil { private static final Logger log = Logger.getLogger(XssFilterUtil.class); private static List<Pattern> patterns = null; /** * @Title: XSS常見攻擊 * @methodName: getXssPatternList * @Description: Pattern.MULTILINE(? m)：在這種模式下，'^'和'$'分別匹配一行的開始和結束。此外，'^'仍然匹配字串的開始，'$'也匹配字串的結束。 預設情況下，這兩個表示式僅僅匹配字串的開始和結束。 * <p> * Pattern.DOTALL(?s) ：在這種模式下，表示式'.'可以匹配任意字元，包括表示一行的結束符。 預設情況下，表示式'.'不匹配行的結束符。 */ private static List<Object[]> getXssPatternList() { List<Object[]> ret = new ArrayList<Object[]>(); ret.add(new Object[] {"<(no)?script[^>]*>.*?</(no)?script>", Pattern.CASE_INSENSITIVE}); ret.add(new Object[] {"</script>", Pattern.CASE_INSENSITIVE}); ret.add(new Object[] {"<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL}); ret.add(new Object[] {"eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL}); ret.add(new Object[] {"expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL}); ret.add(new Object[] {"(javascript:|vbscript:|view-source:)*", Pattern.CASE_INSENSITIVE}); ret.add(new Object[] {"<(\"[^\"]*\"|\'[^\']*\'|[^\'\">])*>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL}); ret.add(new Object[] {"(window\\.location|window\\.|\\.location|document\\.cookie|document\\.|alert\\(.*?\\)|window\\.open\\()*", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL}); ret.add(new Object[] { "<+\\s*\\w*\\s*(oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror=|onerroupdate|onfilterchange|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmousout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onabort|onactivate|onafterprint|onafterupdate|onbefore|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload)+\\s*=+", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL}); return ret; } // XSS常見攻擊-正則表示式 private static List<Pattern> getPatterns() { if (patterns == null) { List<Pattern> list = new ArrayList<Pattern>(); String regex = null; Integer flag = null; int arrLength = 0; for (Object[] arr : getXssPatternList()) { arrLength = arr.length; for (int i = 0; i < arrLength; i++) { regex = (String) arr[0]; flag = (Integer) arr[1]; list.add(Pattern.compile(regex, flag)); } } patterns = list; } return patterns; } // 處理特殊字元 public static String stripXss(String value) { if (StringUtils.isNotBlank(value)) { log.info("【XSS攻擊防禦】，接收字元是：" + value); Matcher matcher = null; for (Pattern pattern : getPatterns()) { matcher = pattern.matcher(value); // 匹配 if (matcher.find()) { // 刪除相關字串 value = matcher.replaceAll(""); } } log.info("【XSS攻擊防禦】，匹配正則是：" + matcher + "，處理後是：" + value); /** * 替換為轉移字元，類似HtmlUtils.htmlEscape */ // value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;"); // 刪除特殊符號 // String specialStr = "%20|=|!=|-|--|;|'|\"|%|#|+|//|/| |\\|<|>|(|)|{|}"; if (StringUtils.isNotBlank(value)) { String specialStr = "%20|=|!=|-|--|;|'|\"|%|#|[+]|//|/| |\\|<|>|(|)|{|}"; for (String str : specialStr.split("\\|")) { if (value.indexOf(str) > -1) { value = value.replaceAll(str, ""); } } log.info("【XSS攻擊防禦】，特殊符號處理後是：" + value); } } return value; } } ``` 最後在web.xml加上過濾器 ```xml <!-- 解決xss漏洞 --> <filter> <filter-name>xssFilter</filter-name> <filter-class>inspector.online.filter.XssFilter</filter-class> </filter> <filter-mapping> <filter-name>xssFilter</filter-name> <!--過濾路徑 --> <url-pattern>*</url-pattern> </filter-mapping> <!-- 解決xss漏洞 --> ``` --- 如果要跟struts2整合在一起的話 web.xml要改成這樣 ```xml <!-- struts2 start --> <filter> <filter-name>struts2</filter-name> <!-- <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class> --> <filter-class>inspector.online.filter.XssFilter</filter-class> </filter> <filter-mapping> <filter-name>struts2</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- struts2 end --> ``` 把原本的struts2 filter 的class註解掉，改成自己的 然後把自己寫的XssFilter 去繼承StrutsPrepareAndExecuteFilter ```java= package inspector.online.filter; import java.io.IOException; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter; public class XssFilter extends StrutsPrepareAndExecuteFilter { /** * 改寫 Filter 功能，使用新的 request 物件傳遞 */ @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { // 直接呼叫原有的方式，僅將 request 替換成 處理 xss 之 Request System.out.println("XssFilter doFilter"); super.doFilter(new XSSRequestWrapper((HttpServletRequest) req), res, chain); } } ``` 用postman去測試時，即可看到攻擊代碼被轉換掉了  ###### tags: `XSS`