本文共 4483 字,大约阅读时间需要 14 分钟。
XSS(Cross-Site Scripting)和SQL注入是Web应用中的两大安全威胁。作为开发者,我们需要了解它们的本质、危害以及如何有效防护。
XSS攻击的核心在于攻击者通过未经过滤或转换的用户输入,嵌入恶意脚本至Web页面。这些脚本会在其他用户的浏览器中执行,导致数据泄露、 Session劫持甚至远程控制等安全问题。主要攻击场景包括:
防止XSS的关键在于对用户输入数据进行适当的脱敏处理。常见措施包括:
SQL注入攻击通过将恶意SQL语句注入Web应用的查询参数中,绕过应用的安全控制,执行除用户预期外的数据库操作。当攻击者掌握数据库访问权限时,这种威胁尤其严重。常见攻击效果包括:
防止SQL注入的核心是确保敏感操作使用参数化查询或预编译语句。具体措施包括:
下面是Spring Boot项目中常用的防XSS和SQL注入的实现方案。
XssFilter类
public class XssFilter implements Filter { private FilterConfig filterConfig; private List urlExclusion; public XssFilter() { urlExclusion = new ArrayList<>(); } public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; } public void destroy() { this.filterConfig = null; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest) request; String servletPath = httpRequest.getServletPath(); if (urlExclusion != null && urlExclusion.contains(servletPath)) { chain.doFilter(request, response); } else { chain.doFilter(new XssHttpServletRequestWrapper(httpRequest), response); } } public List getUrlExclusion() { return urlExclusion; } public void setUrlExclusion(List urlExclusion) { this.urlExclusion = urlExclusion; }} XssHttpServletRequestWrapper类
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { private boolean filterXSS = true; private boolean filterSQL = true; public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) { super(servletRequest); this.filterXSS = true; this.filterSQL = true; } public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); if (values == null) { return null; } String[] encodedValues = new String[values.length]; for (int i = 0; i < values.length; i++) { encodedValues[i] = filterParamString(values[i]); } return encodedValues; } public String getParameter(String parameter) { return filterParamString(super.getParameter(parameter)); } public String getHeader(String name) { return filterParamString(super.getHeader(name)); } public Cookie[] getCookies() { Cookie[] cookies = super.getCookies(); if (cookies != null) { for (Cookie cookie : cookies) { cookie.setValue(filterParamString(cookie.getValue())); } } return cookies; } protected String filterParamString(String rawValue) { if (filterXSS) { rawValue = stripXSS(rawValue); } if (filterSQL) { rawValue = stripSQLInjection(rawValue); } return rawValue; } private static String stripXSS(String value) { if (value == null) { return null; } // 替换需要去除的字符或者脚本标签 value = value.replaceAll("<", "<") .replaceAll(">", ">") .replaceAll(""", """) .replaceAll("'", "&39;") .replaceAll("({)(.*)(})", "") .replaceAll("วง Precisely beams. return value; } الح"} WafRequestWrapper类
public class WafRequestWrapper extends HttpServletRequestWrapper { private boolean filterXSS = true; private boolean filterSQL = true; public WafRequestWrapper(HttpServletRequest request, boolean filterXSS, boolean filterSQL) { super(request); this.filterXSS = filterXSS; this.filterSQL = filterSQL; } public WafRequestWrapper(HttpServletRequest request) { super(request); this(new WafRequestWrapper(request, true, true)); } ...} 总结
XSS和SQL注入是Web安全中的常见威胁。通过合理的输入数据过滤、脱敏处理及使用安全框架,我们可以有效防范这些攻击。代码中的XssFilter和WafRequestWrapper提供了Spring Boot项目中常用的防护方法,确保用户输入的安全性,保护Web应用免受攻击。
转载地址:http://dasiz.baihongyu.com/