Home >Java >javaTutorial >Example of xss injection implemented by HttpServletRequestWrapper in Java

Example of xss injection implemented by HttpServletRequestWrapper in Java

黄舟
黄舟Original
2018-05-28 15:03:162963browse

Here we will talk about our solution in the recent project, which mainly uses the org.apache.commons.lang3.StringEscapeUtils.escapeHtml4() method of the commons-lang3-3.1.jar package.

The solution process mainly consists of two steps: user input and display output: escaping special characters such as a8093152e673feb7aba1828c43532094" ' & during input, and using jstl's fn:excapeXml("fff") method during output .

Among them, filtering during input is implemented by a filter.

Implementation process:

Add a filter to web.xml

    <filter>  
            <filter-name>XssEscape</filter-name>  
            <filter-class>cn.pconline.morden.filter.XssFilter</filter-class>  
        </filter>  
        <filter-mapping>  
            <filter-name>XssEscape</filter-name>  
            <url-pattern>/*</url-pattern>  
            <dispatcher>REQUEST</dispatcher>  
        </filter-mapping>

XssFilter The implementation is to implement the servlet's Filter interface

    package cn.pconline.morden.filter;  
      
    import java.io.IOException;  
      
    import javax.servlet.Filter;  
    import javax.servlet.FilterChain;  
    import javax.servlet.FilterConfig;  
    import javax.servlet.ServletException;  
    import javax.servlet.ServletRequest;  
    import javax.servlet.ServletResponse;  
    import javax.servlet.http.HttpServletRequest;  
      
    public class XssFilter implements Filter {  
          
        @Override  
        public void init(FilterConfig filterConfig) throws ServletException {  
        }  
      
        @Override  
        public void doFilter(ServletRequest request, ServletResponse response,  
                FilterChain chain) throws IOException, ServletException {  
            chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);  
        }  
      
        @Override  
        public void destroy() {  
        }  
    }

The key is the implementation of XssHttpServletRequestWrapper, inherit the servlet's HttpServletRequestWrapper, and rewrite the corresponding several methods that may bring xss attacks, such as:

    package cn.pconline.morden.filter;  
      
    import javax.servlet.http.HttpServletRequest;  
    import javax.servlet.http.HttpServletRequestWrapper;  
      
    import org.apache.commons.lang3.StringEscapeUtils;  
      
    public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {  
      
        public XssHttpServletRequestWrapper(HttpServletRequest request) {  
            super(request);  
        }  
      
        @Override  
        public String getHeader(String name) {  
            return StringEscapeUtils.escapeHtml4(super.getHeader(name));  
        }  
      
        @Override  
        public String getQueryString() {  
            return StringEscapeUtils.escapeHtml4(super.getQueryString());  
        }  
      
        @Override  
        public String getParameter(String name) {  
            return StringEscapeUtils.escapeHtml4(super.getParameter(name));  
        }  
      
        @Override  
        public String[] getParameterValues(String name) {  
            String[] values = super.getParameterValues(name);  
            if(values != null) {  
                int length = values.length;  
                String[] escapseValues = new String[length];  
                for(int i = 0; i < length; i++){  
                    escapseValues[i] = StringEscapeUtils.escapeHtml4(values[i]);  
                }  
                return escapseValues;  
            }  
            return super.getParameterValues(name);  
        }  
          
    }

At this point, the input filtering is completed.

When displaying data on the page, simply use fn:escapeXml() to escape the output where XSS vulnerabilities may occur.

Display of complex content, specific issues will be analyzed in detail

In addition, if you do not want to display the filtered content in some cases, you can use the StringEscapeUtils.unescapeHtml4() method to replace StringEscapeUtils.escapeHtml4(). The characters after escaping are restored to their original appearance

.

The above is the detailed content of Example of xss injection implemented by HttpServletRequestWrapper in Java. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn